Lecture 8 Review Questions
Does the security provided by ESP in tunnel mode differ in any way from that provided by ESP in transport mode?
"ESP in tunnel mode protects the header of the inner IP packet and can offer a limited traffic flow confidentiality service. More specifically, ESP in tunnel mode hides the IP addresses of the inner IP packet and can also obscure the actual length of the messages sent using traffic flow confidentiality padding. (An implementation may potentially send dummy traffic to further hide message patterns.)"
Explain the main difference between ESP in tunnel mode and ESP in transport mode.
"In tunnel mode the entire inner IP packet is protected (i.e., encrypted and optionally authenticated), including the inner IP header, while the added outer IP header is not protected. In transport mode the payload of the IP packet is protected, while the header remains unprotected." Tunnel mode: - Tunnel mode protects the internal routing information by encrypting the IP header of the original packet. The original packet is encapsulated by a another set of IP headers. - It is widely implemented in site-to-site VPN scenarios. - Additional headers are added to the packet; so the payload MSS is less. Transport mode: - The transport mode encrypts only the payload and ESP trailer; so the IP header of the original packet is not encrypted. - The IPsec Transport mode is implemented for client-to-site VPN scenarios.
What would be a typical application of ESP in transport mode?
"Transport mode would typically be used for host-to-host communication." For example, a transport mode IPsec circuit might be set up to allow a remote IT support technician to log in to a remote server to do maintenance work. Transport mode IPsec is used in cases where one host needs to interact with another host; the two hosts negotiate the IPsec circuit directly with each other, and the circuit is usually torn down after the session is complete.
What is the most typical application of ESP in tunnel mode?
"Tunnel mode is typically used in a gateway-to-gateway/host configuration (creating a VPN)." Tunnel mode is useful for setting up a mechanism for protecting all traffic between two networks, from disparate hosts on either end.
Is there any reason why transport adjacency (ESP - AH) may be preferred over ESP with authentication?
"Yes, if authentication of the non-mutable header fields is required." The AH protocol provides a mechanism for authentication only. The AH protocol, less frequently used than ESP, ensures the integrity of IP packets, and, combined with IKE, the authentication of the peers. In other words, AH firstly ensures that exchanged packets have not been altered during transit, and secondly guarantees the identity of a packet's sender. It also provides protection against replayed packets.
What security can be provided by MACsec, and what are its advantages/disadvantages?
- MACsec is a Layer 2 protocol - Uses GCM-AES-128 to offer integrity and confidentiality. - As a layer 2 specification, MACsec can protect not only IP traffic, but also ARP, neighbour discovery, and DHCP. - It is an extension to 802.1X provides secure key exchange and mutual authentication for MACsec nodes. - IPsec (a Layer 3 security protocol) and TLS (a Layer 4 security protocol) offer different guarantees and can be a better fit, depending on the use case. MacSec does not provide traffic flow.
What is a clogging attack, and how does IKE mitigate such attacks?
A clogging attack is a type of DoS attack where the attacker makes the victim spend state and CPU cycles on useless operations. More specifically (for IKE or DH), the attacker would send numerous messages with forged source addresses to the victim. These messages would each contain a public Diffie-Hellman key, making the victim spend computing resources on modular exponentiation to compute the secret key. IKE mitigates (but does not prevent) such attacks by using a stateless cookie mechanism. This mechanism works by the responder generating a pseudorandom number (i.e., cookie) and sending this to the initiator. The initiator must then resend the initial IKE message including the cookie to the responder, proving to the responder that the initiator was able to receive the cookie sent to the claimed IP address of the initiator. The generation of the cookie is a much less expensive operation than calculating the secret key, and the cookie is generated in such a way that the responder is not required to maintain any state (e.g., hashing a secret only known to the responder together with the initiators IP address, nonce and SPI (Security Parameter Index), as suggested in RFC4306 for IKEv2).
How does IPsec compare to TLS?
A fundamental difference between IPsec and TLS is that IPsec is implemented at the network layer while TLS must be implemented on top of a reliable transport protocol (i.e., typically TCP). IPsec does not provide reliable or in order packet delivery (only replay protection), if required this must therefore be provided by higher layers (e.g., TCP). IPsec can provide a more a robust security service, while TLS connections may be reset by manipulation of TCP fragments. Both IPsec and TLS (and other protocols) can be used to establish VPN connections, but IPsec is more commonly used in gateway-to-gateway/host configurations. Using a gateway-to-gateway configuration of IPsec with additional padding to obscure real message lengths can be used to provide some degree of traffic flow confidentiality. Because TLS is implemented above the transport layer, applications interact directly with TLS while the use of IPsec can be transparent to applications.
What is a replay attack, and how does IPsec protect against such attacks?
A replay attack is when an attacker somehow has obtained a packet or message and resends this packet/message to achieve some objective. Replay attacks are mostly relevant when the attacker is unable to fabricate messages due to message authentication. IPsec protects against replay attacks using sequence numbers and a sliding window mechanism. (Such mechanism is also supported in DTLS.) The anti-replay mechanism works by keeping track of the sequence numbers in packets as they arrive.
Explain how confidentiality, integrity and traffic flow confidentiality can be provided by IPsec?
Confidentiality can be provided in IPsec through encryption, using ESP either in transport mode or in tunnel mode. Tunnel mode also encrypts the inner IP header. Using ESP (in tunnel or transport mode), integrity can be provided by using authenticated encryption or the ESP authentication option. Integrity can alternatively be provided using AH, in which case non- mutable header fields are also protected.
What role does IKE play with regard to IPsec?
IKE can be used to create Security Associations (SAs) on-demand (including negotiation of SA attributes) and to exchange keys for SAs. As such, it plays an important role for the applicability of IPsec on a larger scale.
What is protected by the Authentication Header and why are not all header fields protected?
The Authentication Header authenticates the payload and non-mutable header fields. In IPv6 non-mutable extension headers following the Authentication Header are also protected. (In tunnel mode the inner packet constitutes the payload and is therefore protected entirely.) The mutable header fields (e.g., IPv4 Time to Live or IPv6 Hop Limit) are not protected because they are subject to change during transmission.
What are some example use cases for MACsec?
The main use case for MACsec is to secure a standard LAN. In this setup, multiple machines connected to the same LAN are configured so that all packets exchanged between them are encrypted and can only be received by these nodes. In these figures, a red link means that packets are not protected by MACSec. Only grey links are secured by MACsec. In this first setup, the switch is not capable of encrypting frames, but it can forward MACsec-protected frames between ports. MACsec is terminated on the hosts. An alternative solution is to use a switch which supports MACsec. In that case, MACsec is enabled on the client machines as well as on the switch ports to which these machines are connected. Those access switches often also provide 802.1X services to allow strong authentication, authorization and accounting to occur before finally allowing the client to join the network. The second of these LAN setups uses a MACsec-capable switch, but hosts 3 and 4 are not using MACsec. MACsec is terminated on the switch ports. Another use case is to use as a high-speed WANs.
Does IPsec provide any form of access control? Justify your answer.
Yes, through the Security Policy Database (SPD) it can be specified whether specific traffic (e.g., between a given source and destination address) should be allowed or not (i.e., packet filtering), and whether the traffic should be required to be protected by IPsec. In the latter case packets may be required to be authenticated to "gain access".