Internet Protocol Security (IPSec)

Overview

In the increasingly hostile modern-day world of private and public networking, security and protection of data are fundamental requirements. To provide the best protection, you must deploy defense in depth: Many layers of security are needed to repel the types of attacks you might encounter on the Internet, and more likely, from within your own network. One of the ways to provide this defense, beyond the typical measures tosecure the network perimeter and secure access to resources by instituting authentication and access control, is to secure the actual IP packets and their contents.

As described in previous chapters, IP, TCP, and User Datagram Protocol (UDP) headers contain a checksum, which is used to provide a bit-level integrity check for portions of the IP packet. However, the checksum is only detecting corrupted data. Because the checksum algorithm is well known, a malicious user can intercept an IP packet, view and modify its contents, recompute the checksums, and forward the packet to its destination. Due to the limited functionality of the checksum, the destination node is not aware and cannot detect that the packet was modified.

Historically, applications that required security provided it for themselves, leading to a variety of separate and incompatible security standards. IP Security (IPSec) is a suite of protocols and cryptographic algorithms that provide security at the Internet layer, regardless of the application sending or receiving data. With IPSec, a single security standard is used and applications do not need to be modified to use it.

IPSec Overview

IPSec is an architectural framework of Internet Engineering Task Force (IETF) standards that provides cryptographic security services for IP packets. IPSec is an end-to-end security technology: the only nodes aware of the presence of IPSec are the two IPSec peers that are communicating. Intermediate routers have no knowledge of the security relationship and forward the IP packets, as they would any other, between the communicating peers.

Properties of Secure Communications

IPSec provides the following properties for secure communications:

Hashing and Encryption Algorithms

IPSec in the Windows Server 2003 family uses the following hash algorithms:

Both hash algorithms are well known and it would be a trivial task for a malicious user to create an MD5 or SHA1 implementation. Although they can calculate MD5 or SHA1 hashes of IP datagrams, because they do not have knowledge of the secret key, these malicious users cannot easily calculate the HMAC MD5 or HMAC SHA1 keyed hash value.

IPSec in the Windows Server 2003 family uses the following encryption algorithms:

3DES is stronger than DES, but also requires much more processing time for encryption and decryption.

Key Management

To provide a secure method to determine the initial keying material from which thesecret key for secured communications is derived, IPSec uses the Diffie-Hellman keyexchange process. This technique derives a secret key known only to the two peersby exchanging two numbers over a public network. A malicious user who intercepts the key exchange packets can view the numbers, but cannot perform the same calculation as the negotiating peers to derive the shared secret key.

The Diffie-Hellman key exchange process does not prevent a man-in-the-middle attack, in which a malicious user between the negotiating peers performs two Diffie-Hellman exchanges, one with each peer. When both exchanges are complete, the malicious user has the secret keys to communicate with both peers. To prevent such an attack, IPSec for the Windows Server 2003 family performs an immediate authentication after the Diffie-Hellman key exchange is complete. If the IPSec peer cannot perform a validauthentication, the security negotiation is abandoned before any data is sent.

The Diffie-Hellman secret key is the keying material from which the secret keys forsecure communications are derived. IPSec for the Windows Server 2003 family also supports dynamic rekeying, the determination of new keying material through a new Diffie-Hellman exchange. Dynamic rekeying is based on an elapsed time (by default, 480 minutes [8 hours]) or the number of data sessions created with the same set of keying material (by default, this number is unlimited).

Security Associations

A security association (SA) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The SA, also known as the mode SA, contains the information needed to determine how the traffic is to be secured (the security services and protection mechanisms) and with what secret keys (cryptographic keys). There are two types of SAs that are created when IPSec peers communicate securely: the ISAKMP SA and the IPSec SA.

ISAKMP SA

The Internet Security Association and Key Management Protocol (ISAKMP) SA, also known as the main mode SA, is used to protect IPSec security negotiations. The ISAKMP SA is created by negotiating the ciphersuite used for protecting future ISAKMP traffic, exchanging key generation material, and then identifying and authenticating each IPSec peer. When the ISAKMP SA is complete, all future SA negotiations for both types of SAs are protected. This is an aspect of secure communications known as protected ciphersuite negotiation. Not only is the data protected, but the determination of the protectionalgorithms negotiated by the IPSec peers is also protected. To break IPSec protection, a malicious user must first determine the ciphersuite protecting the data, which represents another barrier. For IPSec, the only exception to complete protected ciphersuite negotiation is the negotiation of the ciphersuite of the initial ISAKMP SA, which is sent as plaintext.

IPSec SA

The IPSec SA, also known as the quick mode SA, is used to protect data sent between the IPSec peers. The IPSec SA ciphersuite negotiation is protected by the ISAKMP SA. No information about the type of traffic or the protection mechanisms is sent as plaintext. For a pair of IPSec peers, there are always two IPSec SAs: one is negotiated for inbound traffic and one is for outbound traffic. The inbound SA for one IPSec peer is the outbound SA for the other.

Security Parameters Index

For each IPSec session, IPSec peers must track the usage of three different SAs: the ISAKMP SA, the inbound IPSec SA, and the outbound IPSec SA. To identify a specific SA, a 32-bit pseudorandom number known as the Security Parameters Index (SPI) is used. The SPI is used for SA management at each IPSec peer and is a field in the IPSec headers protecting IPSec traffic and in the messages negotiating or managing SAs.

The node that initiates an IPSec session is known as the initiator. The node that responds to a request to perform IPSec protection is known as the responder. The initiator chooses the ISAKMP SA SPI and each IPSec peer chooses the IPSec SA SPIs for its outbound traffic.

Creating SAs

An IPSec session negotiation and determination of both ISAKMP and IPSec SAs occurs in two phases: the main mode phase (also known as Phase I) and the quick mode phase (also known as Phase II).

Main Mode

Main mode negotiation creates the ISAKMP SA. The initiator and responder exchange a series of ISAKMP messages to negotiate the ciphersuite for the ISAKMP SA (in plaintext), exchange key determination material (in plaintext), and identify and authenticate each other (in encrypted text). For more information about the details of main mode negotiation, see the section entitled "Main Mode Negotiation," later in this chapter.

Quick Mode

Quick mode negotiation creates the two IPSec SAs. The initiator and responder exchange a series of ISAKMP messages to negotiate the ciphersuite for both the inbound and outbound IPSec SAs. During quick mode negotiation, keying material is refreshed or, if necessary, new keys are generated. For more information about the details of quick mode negotiation, see the section entitled "Quick Mode Negotiation," later in this chapter.

For IPSec for the Windows Server 2003 family, a complete IPSec session negotiation including both main mode and quick mode requires 10 ISAKMP messages exchanged between IPSec peers.

IPSec Headers

IPSec provides its security services by wrapping the IP payload with an additional header or trailer containing the additional information to provide data origin authentication, data integrity, data confidentiality, and replay protection. IPSec headers consist of the following:

The result of applying the AH or ESP to an IP datagram transforms it to a secure datagram. Consequently, AH and ESP are sometimes referred to as transforms.

Authentication Header

The AH is a header that provides data origin authentication, data integrity, andreplay protection for the entire IP datagram. Figure 22-1 shows the structure of the AH.

Figure 22-1: The IPSec Authentication header.

The AH consists of the following fields:

AH Transport Mode

IPSec has two main modes of operation: transport mode and tunnel mode.

Figure 22-2 shows AH transport mode for an IP datagram.

Figure 22-2: AH transport mode.

The AH header is added to the IP datagram just after the IP header. In the IP header, the Protocol field is set to 51 (0x33) to indicate that an AH is present. Other than changing the Protocol field, the original IP header is unmodified. Normal routers forward this traffic as any other IP packet. Firewalls, on the other hand, might need to be configured toallow the forwarding of IP protocol 51 traffic. The upper-layer PDU is also unmodified.Inserting an AH creates additional packet overhead, which lowers the effective maximum transmission unit (MTU) between the two endpoints. Calculating the ICV for the AH header also imposes additional processing overhead for each protected packet. Using network adapters that can perform cryptographic calculations in hardware can minimize this overhead.

For AH transport mode, the ICV calculation is performed over the following:

For AH transport mode, the AH protects the IP header, except the fields that are allowed to change, and the upper-layer PDU of the original IP datagram.

Frame 11 of Network Monitor Capture 22-01 (in the Captures folder on the companion CD-ROM) provides an example of an AH-protected ICMP Echo message.

AH Tunnel Mode

Figure 22-3 shows AH tunnel mode for an IP datagram.

Figure 22-3: AH tunnel mode.

In AH tunnel mode, the entire original IP datagram is encapsulated with a new (outer) IP header and an AH. In the IP header, the Protocol field is set to 51 (0x33) to indicate that an AH is present. For tunnel mode, the original IP header and upper-layer PDU are unmodified.

The outer IP header is constructed from the configuration of the IPSec tunnel. For IPSec for the Windows Server 2003 family, the destination IP address in the outer header is configured in the Tunnel Setting tab from the properties of an IPSec rule using the IP Security Policies snap-in. The source IP address is the locally assigned IP address that is the best source to reach the tunnel destination address.

For AH tunnel mode, the ICV calculation is performed over the following:

For AH tunnel mode, the AH protects the entire original IP packet (both the IP header and the upper-layer PDU) at the expense of an additional outer IP header.

Encapsulating Security Payload (ESP) Header

Encapsulating Security Payload (ESP) is a header and trailer combination that provides data origin authentication, data integrity, replay protection, and data confidentiality for the ESP-encapsulated portion of the packet. Figure 22-4 shows the structure of the ESP header and trailer.

Figure 22-4: The IPSec Encapsulating Security Payload header and trailer.

The ESP header consists of the following fields:

The ESP trailer consists of the following fields:

Because the use of a specific ICV algorithm is negotiated before data with an ESP header and trailer is sent, each peer knows the size of the Authentication Data portion of the ESP trailer and can determine the location of the end of the ESP-encapsulated payload.

Frame 11 of Network Monitor Capture 22-02 (in the Captures folder on the companion CD-ROM) provides an example of an ESP-protected payload. Network Monitor cannot interpret the encrypted portions of an ESP-protected packet.

ESP Transport Mode

Figure 22-5 shows ESP transport mode for an IP datagram.

Figure 22-5: ESP transport mode.

For ESP transport mode, the ESP header is added to the IP datagram just after the IP header and the ESP trailer is added just after the upper-layer PDU. In the IP header, the Protocol field is set to 50 (0x32) to indicate that an ESP header is present. Other than changing the Protocol field, the original IP header is unmodified. Routers forward this traffic as any other IP packet. Firewalls, on the other hand, might need to be configured to allow the forwarding of IP protocol 50 traffic. The upper-layer PDU is also unmodified.

Like AH, inserting an ESP header and trailer creates additional packet overhead, which lowers the effective MTU between the two endpoints. Performing the data encryption and calculating the ICV for the ESP trailer imposes additional processing overhead for each protected packet. Using network adapters that can perform cryptographic calculations in hardware can minimize this overhead.

For ESP transport mode, the following portions of the packet are encrypted:

For encryption algorithms such as DES that use CBC, there is an unencrypted fieldbetween the ESP header and the upper-layer PDU. This field is the IV for the CBC calculation performed at the receiver. This field cannot be encrypted because it is used to begin the decryption process. For DES and 3DES, the IV is 64 bits (8 bytes) long.

The inclusion of the IV as plaintext in the packet is not a security problem. The IV does not provide additional cryptographic strength, only a way to ensure that the encryption of the same block does not produce the same ciphertext. A malicious user might be able to view the IV, but without the encryption key, he or she cannot decrypt the ciphertext portion of the packet. To prevent a malicious user from modifying the IV and causing the receiver to produce garbled deciphered data, the IV is protected by the ICV.

For ESP transport mode, the ICV calculation is performed over the following:

For ESP transport mode, the ESP trailer does not provide protection for the IP header and the Authentication Data field of the ESP trailer. To obtain protection for these elements, use both AH and ESP, as shown in Figure 22-6.

Figure 22-6: Using both AH and ESP to protect an IP packet.

In this situation, the ESP header and trailer wraps the upper-layer PDU, which then becomes the upper-layer PDU that is wrapped with an AH and the original IP header. Now the entire packet is protected (except the changeable fields in the IP header).

Frame 11 of Network Monitor Capture 22-03 (in the Captures folder on the companion CD-ROM) provides an example of an AH- and ESP-protected IP payload.

ESP Tunnel Mode

Figure 22-7 shows ESP tunnel mode for an IP datagram.

Figure 22-7: ESP tunnel mode.

In ESP tunnel mode, the entire original IP datagram is encapsulated with a new (outer) IP header and an ESP header and trailer. In the outer IP header, the Protocol field is set to 50 (0x32) to indicate that an ESP header is present. For tunnel mode, the original IP header and upper-layer PDU are unmodified. Like AH tunnel mode, the outer IP header is constructed from the configuration of the IPSec tunnel.

For ESP tunnel mode, the following portions of the packet are encrypted:

For ESP tunnel mode, the ICV calculation is performed over the following:

For ESP tunnel mode, the ESP trailer does provide protection for the originalIP header and upper-layer PDU, but does not provide protection for the outer IP header and the Authentication Data field of the ESP trailer.

  More Info

ESP is defined in RFC 2406, which can be found in the Rfc folder on the companion CD-ROM.

Internet Key Exchange

The Internet Key Exchange (IKE) is a standard that defines a mechanism to establish SAs. IKE, described in RFC 2409, combines ISAKMP and the Oakley Key Determination Protocol.

IPSec uses the ISAKMP protocol to negotiate SAs. ISAKMP includes facilities to identify and authenticate peers, manage SAs, and exchange key material. ISAKMP is a framework for negotiating secure communications independent of specific key exchange protocols, encryption and integrity algorithms, and authentication methods.

To generate secret key material for secure communications, IKE uses the Oakley Key Determination protocol. Oakley is based on the Diffie-Hellman key exchange algorithm, which allows two peers to determine a secret key by exchanging unencrypted values over a public network. The shared secret key becomes keying material from which secret keys for HMAC or encryption algorithms are derived.

  More Info

The details of the Diffie-Hellman algorithm and the Oakley protocol are outside the scope of this book, but they are described in RFC 2412. IKE isdefined in RFC 2407. Both of these RFCs can be found in the Rfc folder on the companion CD-ROM.

ISAKMP Message Structure

ISAKMP messages are sent as the payload of UDP messages using UDP port 500. Figure 22-8 shows the format of an ISAKMP message.

Figure 22-8: An ISAKMP message.

The ISAKMP message consists of an ISAKMP header and one or more ISAKMP payloads. The ISAKMP payloads contain negotiation information and are encrypted for most ISAKMP messages. The encryption protects the negotiation from being viewed by malicioususers who are capturing ISAKMP traffic. The encrypted portions of ISAKMP messages cannot be viewed with Network Monitor.

  More Info

ISAKMP is defined in RFC 2408, which can be found in the Rfc folder on the companion CD-ROM.

ISAKMP Header

The ISAKMP header is a standard header that is present for all ISAKMP messages and contains information about the message, including the type of packet. Figure 22-9 shows the format of the ISAKMP header.

Figure 22-9: The ISAKMP header.

The fields in the ISAKMP header are defined as follows:

SA Payload

The SA payload is used to indicate the domain of interpretation (DOI) and situation for the SA negotiation. The DOI is a set of definitions for payload formats, exchange types, and naming conventions for security-related information, such as the naming of policies and cryptographic algorithms. A situation is a set of information that identifies security services in the ISAKMP message. Figure 22-10 shows the format of the SA payload.

Figure 22-10: The SA payload.

The fields in the SA payload are defined as follows:

Proposal Payload

The Proposal payload contains security parameter information that is used to negotiate the security settings for either an ISAKMP or IPSec SA. The Proposal payload contains proposal settings and then a series of one or more Transform payloads that contain the specific security settings for encryption and authentication algorithms for the SA. Figure 22-11 shows the format of the Proposal payload.

Figure 22-11: The Proposal payload.

The fields in the Proposal payload are defined as follows:

Transform Payload

The Transform payload contains information that identifies a specific security mechanism, or transform, that is proposed to secure future traffic. The Transform payload also contains SA attributes, as defined in RFC 2407 for the IPSec DOI. Figure 22-12 shows the Transform payload.

Figure 22-12: The Transform payload.

The fields in the Transform payload are defined as follows:

The following Network Monitor frame (Frame 1 of Capture 22-01 in the Captures folder on the companion CD-ROM) displays the relationship among the SA, Proposal, and Transform payloads, and the SA attributes within a Transform payload:

+ Frame: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x261A; Proto = UDP; Len: 304 + UDP: Src Port: ISAKMP, (500); Dst Port: ISAKMP (500); Length = 284 (0x11C) ISAKMP: Major Version: 1 Minor Version: 0 Length: 276 ISAKMP: Initiator cookie = 18 DE 7D 29 15 E6 06 71 ISAKMP: Responder cookie = 00 00 00 00 00 00 00 00 ISAKMP: Next payload = Security Association ISAKMP: Major version = 1 (0x1) ISAKMP: Minor version = 0 (0x0) ISAKMP: Exchange type = Identity Protection + ISAKMP: Flags summary = 0 (0x0) ISAKMP: Message ID = 0 (0x0) ISAKMP: Length = 276 (0x114) ISAKMP: Payload type = Security Association ISAKMP: Next payload = Vendor ID ISAKMP: Reserved = 0 (0x0) ISAKMP: Payload length = 164 (0xA4) ISAKMP: DOI = 1 (0x1) ISAKMP: Situation = SIT_INDENTITY_ONLY ISAKMP: Payload type = Proposal ISAKMP: Next payload = None ISAKMP: Reserved = 0 (0x0) ISAKMP: Payload length = 152 (0x98) ISAKMP: Proposal number = 1 (0x1) ISAKMP: Protocol ID = 1 (0x1) ISAKMP: SPI size = 0 (0x0) ISAKMP: Number of transforms = 4 (0x4) ISAKMP: Payload type = Transform ISAKMP: Next payload = Transform ISAKMP: Reserved = 0 (0x0) ISAKMP: Payload length = 36 (0x24) ISAKMP: Transform number = 1 (0x1) ISAKMP: Transform ID = 1 (0x1) ISAKMP: Reserved = 0 (0x0) + ISAKMP: SA attribute = 80 01 00 05 + ISAKMP: SA attribute = 80 02 00 02 + ISAKMP: SA attribute = 80 04 00 02 + ISAKMP: SA attribute = 80 03 00 01 + ISAKMP: SA attribute = 80 0B 00 01 + ISAKMP: SA attribute = 00 0C 00 04 00 00 70 80 + ISAKMP: Payload type = Transform + ISAKMP: Payload type = Transform + ISAKMP: Payload type = Transform + ISAKMP: Payload type = Vendor ID + ISAKMP: Payload type = Vendor ID + ISAKMP: Payload type = Vendor ID + ISAKMP: Payload type = Vendor ID

Vendor ID Payload

The Vendor ID payload contains a string or number that either indicates a specific capability or is defined by a vendor so that an IPSec implementation can recognize an IPSec peer running the same implementation. IPSec peers are not required to run the same implementation or support the same capabilities, so the sending of Vendor ID payloads and the actions taken when they are received are optional. If a receiver recognizes the Vendor ID, it can make use of the capability or use private payloads, which use the Payload ID numbers 128 through 255. For vendor identification, the Vendor ID value must be unique and is typically a hash of well-known text chosen by the designers of an IPSec implementation. For capability identification, the Vendor ID value must be unique and is typically chosen by the designers of the IPSec capability.

Figure 22-13 shows the format of the Vendor ID payload.

Figure 22-13: The Vendor ID payload.

The only field in the Vendor ID payload (besides the Next Header, Reserved, and Payload Length fields) is the Vendor ID field, a variable-length field that contains the Vendor ID value.

IPSec for the Windows Server 2003 family uses four different Vendor ID payloads:a Vendor ID payload to indicate a Microsoft IPSec peer, a Vendor ID payload to indicateNetwork Address Translator Traversal capability, a Vendor ID payload to indicate fragmentation support, and a Vendor ID payload to indicate support for network load balancing.

Nonce Payload

The Nonce payload contains a pseudorandom number that is used to ensure a liveexchange and provide replay protection. Nonces are also used to calculate hashes in other payloads. Figure 22-14 shows the format of the Nonce payload.

Figure 22-14: The Nonce payload.

The only field in the Nonce payload (besides the Next Header, Reserved, and Payload Length fields) is the Nonce Data field, a variable-length field that contains the pseudorandom number determined by the sender of the ISAKMP message.

Key Exchange Payload

The Key Exchange payload contains information pertaining to the key exchange process. The key exchange process supported by IPSec for the Windows Server 2003 family is Diffie-Hellman. With Diffie-Hellman, two IPSec peers exchange key values that are sent in plaintext. From the key values, each IPSec peer calculates the same private key. What is interesting about the Diffie-Hellman exchange is that a malicious user between the IPSec peers can view the exchanged key values, but cannot easily calculate the sameresult as the IPSec peers. Figure 22-15 shows the format of the Key Exchange payload.

Figure 22-15: The Key Exchange payload.

The only field in the Key Exchange payload (besides the Next Header, Reserved, and Payload Length fields) is the Key Exchange Data field, a variable-length field that contains the key exchange value determined by the sender of the ISAKMP message.

Notification Payload

The Notification payload is used to transmit control information, such as an error condition, to an IPSec peer. A single ISAKMP message can contain multiple Notification payloads. For Notification payloads within a main mode message, the initiator and responder cookies identify the negotiation. Figure 22-16 shows the format of the Notification payload.

Figure 22-16: The Notification payload.

The fields in the Notification payload are defined as follows:

Table 22-3 lists some of the notification error messages specified in RFC 2408. For a complete list, see section 3.14.1 of RFC 2408.

Table 22-3: Notification Error Messages

Notification Message Type Value

Notification Message

1

INVALID-PAYLOAD-TYPE

2

DOI-NOT-SUPPORTED

3

SITUATION-NOT-SUPPORTED

4

INVALID-COOKIE

5

INVALID-MAJOR-VERSION

6

INVALID-MINOR-VERSION

Table 22-4 lists some of the notification status messages specified in RFC 2408.

Table 22-4: Notification Status Messages

Notification Message Type Value

Notification Message

16384

CONNECTED

16385–24575

RESERVED (Future Use)

24576–32767

DOI-specific codes

32768–40959

Private Use

40960–65535

RESERVED (Future Use)

Delete Payload

The Delete payload is used to inform an IPSec peer that an SA for a specific protocol has been deleted. The receiver should remove its corresponding SA. IPSec for the Windows Server 2003 family now supports verification of Delete payloads. If an ISAKMP message with a Delete payload is received, the receiver acknowledges it. If an acknowledgment is not received, the Delete payload is resent. Figure 22-17 shows the format of the Delete payload.

Figure 22-17: The Delete payload.

The fields in the Delete payload are defined as follows:

Identification Payload

The Identification payload is used to convey identification information and authenticate an IPSec peer.

Figure 22-18 shows the format of the Identification payload.

Figure 22-18: The Identification payload.

The fields in the Identification payload are defined as follows:

Hash Payload

The Hash payload contains a hash value that is a result of a hash function computed over a set of fields or other parameters. The Hash payload can be used to provide integrity or authentication of negotiating peers. Figure 22-19 shows the format of the Hash payload.

Figure 22-19: The Hash payload.

The only field in the Hash payload (besides the Next Header, Reserved, and Payload Length fields) is the Hash Data field, a variable-length field that contains the hash value. Both IPSec peers must agree to the set of fields or other parameters over which the hash is calculated.

Certificate Request Payload

The Certificate Request payload is used to request certificates from an IPSec peer. After receipt of an ISAKMP message with a Certificate Request payload, an IPSec peer must send a cer tificate or certificates based on the contents of the Certificate Request payload. Figure 22-20 shows the format of the Certificate Request payload.

Figure 22-20: The Certificate Request payload.

The fields in the Certificate Request payload are defined as follows:

Certificate Payload

The Certificate payload is used by an IPSec peer when sending its certificate. This is typically done during the authentication phase of main mode negotiation. Figure 22-21 shows the format of the Certificate payload.

Figure 22-21: The Certificate payload.

The fields in the Certificate payload are defined as follows:

Signature Payload

The Signature payload is used to send digital signatures calculated over a set of fields or parameters. The Signature payload provides data integrity and nonrepudiation services during the authentication phase of main mode negotiation. Figure 22-22 shows the format of the Signature payload.

Figure 22-22: The Signature payload.

The only field in the Signature payload (besides the Next Header, Reserved, and Payload Length fields) is the Signature Data field, a variable-length field that contains the digital signature value. Both IPSec peers must agree on the set of fields and parameters over which the digital signature is calculated.

Main Mode Negotiation

Oakley main mode negotiation is used to determine encryption key material and security protection for use in protecting subsequent main mode or quick mode communications. Main mode negotiation occurs in the following steps:

  1. Negotiation of protection suites
  2. A Diffie-Hellman exchange
  3. Authentication

      Note

    IPSec for the Windows Server 2003 family does not support aggressive mode negotiation.

Main mode negotiation consists of six ISAKMP messages: three sent by the initiator and three sent by the responder. Messages 1 and 2 are for the negotiation of protection suites. Messages 3 and 4 are for the Diffie-Hellman exchange. Messages 3 through 6 can be used for authentication. The specific contents of messages 3 through 6 depend on the authentication method.

Negotiation of Protection Suites

The first message in an IKE negotiation is sent by the initiator and contains the following payloads:

The second message in an IKE negotiation is sent by the responder and contains the following payloads:

Table 22-6 lists the protection suite attributes that are supported by IPSec for theWindows Server 2003 family.

Table 22-6: Main Mode Attribute Values Supported by the Windows Server 2003 Family

Attribute

Attribute Value

Encryption algorithm

DES, 3DES

Integrity algorithm

MD5, SHA-1

Authentication method

Kerberos, preshared key, certificate

Diffie-Hellman group

Group 1 (768-bit), Group 2 (1024-bit), 2048-bit

Key Exchange and Authentication

IPSec for the Windows Server 2003 family supports three methods of authentication:

Unlike Point-to-Point Protocol (PPP) authentication for dial-up or virtual private network (VPN) connections, which authenticates the user using the computer at the time of the authentication negotiation, IPSec authentication authenticates only the computer at the time of the negotiation.

Kerberos Authentication

Kerberos authentication is the default authentication method. It is designed for usebetween computers in an Active Directory domain. Kerberos authentication for IPSec main mode is based on the Generic Security Service (GSS) API IKE authentication method,described in the Internet draft entitled "A GSS-API Authentication Method for IKE," which can be found in the Ietf Drafts folder on the companion CD-ROM.

The third message for a Kerberos-authenticated main mode negotiation, sent by the initiator, contains the following payloads:

The fourth message for a Kerberos-authenticated main mode negotiation, sent by the responder, contains the following payloads:

The fifth message for a Kerberos-authenticated main mode negotiation, which is sent by the initiator and encrypted, contains the following payloads:

The sixth message for a Kerberos-authenticated main mode negotiation, which is sent by the responder and encrypted, contains the following payloads:

Kerberos authentication is successful when each peer verifies the other peer's Kerberos token and hash value.

The hash calculation is performed over the following values:

Network Monitor Capture 22-02 (in the Captures folder on the companion CD-ROM) provides an example of Kerberos authentication.

Certificate Authentication

Certificate authentication involves the exchange of public key certificates for validation. IPSec for the Windows Server 2003 family supports X.509 version 3 certificates and certificate authentication must be configured in the Authentication Method tab for a rule within an IPSec policy. When configuring certificate authentication, the list of trusted root CAs is specified. You do not necessarily specify the root CA of the issuing CA of the certificate that will be sent, only the root CAs for the issuing CAs of the certificates that are acceptable to receive. Internally, IPSec for the Windows Server 2003 family uses the CryptoAPI to perform various certificate retrieval, verification, and digital signature creation functions.

The third message for a certificate-authenticated main mode negotiation, sent by the initiator, contains the following payloads:

The fourth message for a certificate-authenticated main mode negotiation, sent by the responder, contains the following payloads:

The fifth message for a certificate-authenticated main mode negotiation, which is sent by the initiator and is encrypted, contains the following payloads:

The sixth message for a certificate-authenticated main mode negotiation, which is sent by the responder and is encrypted, contains the following payloads:

Certificate authentication is successful when each peer verifies the other peer's certificate and digital signature.

For Layer Two Tunneling Protocol with IPSec (L2TP/IPSec) connections, you cannot configure the list of trusted root CAs. The list of trusted root CAs is based on the root CAs for the issuing CAs for certificates installed in the Local Computer certificate store. To have a successful L2TP/IPSec connection, each IPSec peer must have an installed computer certificate that was issued by an issuing CA of a trusted root CA that also issued computer certificates to the other IPSec peer.

Network Monitor Capture 22-04 (in the Captures folder on the companion CD-ROM) provides an example of certificate authentication.

Certificate Revocation Checking

By default, IPSec for the Windows Server 2003 family does not perform certificate revocation checking on the sent certificate or the chain of certificates from the issuing CA to the root CA of the issuing CA. Certificate revocation checking is done by verifying that each certificate in the chain is not on a certificate revocation list (CRL) that wascreated and published by the issuing CA. To enable certificate revocation checking, use the following registry setting:

StrongCrlCheck

Location: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesPolicyAgentOakley Data type: REG_DWORD Valid range: 0-2 Default: 0 Present by default: No

Set StrongCrlCheck to 1 to fail certificate revocation checking if the certificate has been revoked by verifying its revoked status with the CRL. If the CRL distribution point is not available on the network or the creator of the CRL did not issue the certificate, the certificate is assumed to be valid. Set StrongCrlCheck to 2 to fail the certification validation for any certificate revocation check error. In this case, the CRL distribution point must be reachable on the network, and it must verify that it issued the certificate and that it is not revoked. By default, StrongCrlCheck is set to 0, indicating that no certificate revocation checking is done.

If you change this value, you must stop and start the IPSec services either through the Services snap-in or by running the net stop policyagent and net start policyagent commands at a command prompt. If the computer is running Routing and Remote Access, you should stop the Routing and Remote Access service before you stop the IPSec services and start the Routing and Remote Access service after you start the IPSec services.

Preshared Key Authentication

Preshared key authentication involves the exchange of the knowledge of a manually configured preshared key. IPSec for the Windows Server 2003 family includes preshared key authentication to adhere to the IPSec standards and provide interoperability with other IPSec implementations that do not support Kerberos or certificate authentication.

A preshared key is configured in the Authentication Methods tab in the properties of an IPSec rule in the IP Security Policies snap-in. Because the preshared key is visible to all those who can view the IPSec policy settings (users with local or domain administrator privileges), preshared key authentication is not a secure authentication method and is not recommended for use in production environments.

The third message for a preshared key-authenticated main mode negotiation, sent by the initiator, contains the following payloads:

The fourth message for a preshared key-authenticated main mode negotiation, sent by the responder, contains the following payloads:

The fifth message for a preshared key-authenticated main mode negotiation, which is sent by the initiator and is encrypted, contains the following payloads:

The sixth message for a certificate-authenticated main mode negotiation, which is sent by the responder and is encrypted, contains the following payloads:

Preshared key authentication is successful when each peer verifies the other peer's hash.

Network Monitor Capture 22-05 (in the Captures folder on the companionCD-ROM) provides an example of preshared key authentication.

Quick Mode Negotiation

When the main mode negotiation is complete, each IPSec peer has selected a specific set of cryptographic algorithms for securing main mode and quick mode messages,exchanged key information to derive a shared secret key, and performed authentication. Before secure data is sent, a quick mode negotiation must occur to determine the type of traffic to be secured and how it will be secured. A quick mode negotiation is also done when a quick mode SA expires. Quick mode messages are ISAKMP messages that are encrypted using the ISAKMP SA. The result of a quick mode negotiation is two IPSec SAs: one for inbound traffic and one for outbound traffic.

Quick mode negotiation for IPSec for the Windows Server 2003 family consists of four ISAKMP Messages. The first Quick Mode ISAKMP message, sent by the initiator, contains the following payloads:

The second quick mode ISAKMP message, sent by the responder, contains the following payloads:

The second message has the Commit flag in the ISAKMP header set.

The third quick mode ISAKMP message, sent by the initiator, contains the following payload:

The fourth quick mode ISAKMP message, sent by the responder, contains the following payload:

The setting of the Commit bit in quick mode message 2 and the sending of the CONNECTED status message in quick mode message 4 are not required by the ISAKMPor IKE standards. IPSec for the Windows Server 2003 family uses this facility toprevent the initiator from sending IPSec-protected packets to the responder before theresponder is ready to receive them.

Retransmit Behavior

For main mode negotiations, the retransmit behavior of the initiator is thefollowing:

  1. Send main mode message 1. Wait 1 second for a response.
  2. If a response is not received, retransmit main mode message 1 and wait 2 seconds for a response. If unsecured communication is allowed, unsecured traffic can be sent. Even though unsecured traffic is sent, the initiator continues to attempt a main mode negotiation.
  3. Retransmit main mode message 1 and wait 4 seconds for a response.
  4. Retransmit main mode message 1 and wait 8 seconds for a response.
  5. Retransmit main mode message 1 and wait 16 seconds for a response.
  6. Retransmit main mode message 1 and wait 32 seconds for a response.
  7. Abandon main mode negotiation.

It takes 63 seconds for a main mode negotiation to fail. This retransmit behavior is part of the IKE standard. For unsecured traffic, it takes 3 seconds before the initiator sends unsecured traffic.

For quick mode negotiations, the retransmit behavior for either IPSec peer is thefollowing:

  1. Send quick mode message 1 and wait 1 second for a response.
  2. Retransmit quick mode message 1 and wait 2 seconds for a response.
  3. Retransmit quick mode message 1 and wait 4 seconds for a response.
  4. Retransmit quick mode message 1 and wait 8 seconds for a response.
  5. Retransmit quick mode message 1 and wait 16 seconds for a response.
  6. Retransmit quick mode message 1 and wait 32 seconds for a response.
  7. If this quick mode negotiation is not the first quick mode for the current main mode (a rekey), restart quick mode negotiation. Otherwise, abandon quick mode negotiation.

It takes 63 seconds for a quick mode negotiation to fail. This retransmit behavior is part of the IKE standard. The initiator of the main mode negotiation does the initial quick mode negotiation. After a successful quick mode negotiation, either IPSec peer can initiate a new quick mode negotiation.

IPSec NAT Traversal

IPSec was designed to provide end-to-end security for two computers located in the same address domain. If two computers are located in different address domains, such as private IP addresses used on a home network and public IP addresses used on the Internet, then the addresses must be translated for communication to occur. The translation of addresses and TCP or UDP ports for network address translation to connect users to the Internet invalidates the security services of IPSec. Specifically, address and port translation causes the following problems for ESP-based IPSec traffic:

Network Address Translators (NATs) are very prevalent in today's public address-starved Internet. To allow IKE negotiation and ESP-encapsulated packets to work over NATs, IPSec for the Windows Server 2003 family supports IPSec NAT traversal (NAT-T) asdescribed in version 2 of the Internet drafts titled "UDP Encapsulation of IPSec Packets" and "Negotiation of NAT-Traversal in the IKE." These drafts are included in the Ietf Drafts folder on the companion CD-ROM. NAT-T is especially useful when making L2TP/IPSec connections from a VPN client that is behind a NAT.

NAT-T consists of the following elements used during main mode:

A receiving IPSec peer validates both NAT-D payloads. If either does not validate correctly, then an intermediate NAT is present and NAT-T quick mode options are used. In addition, a new IKE message header format is defined that uses UDP port 4500. The NAT- T IKE header contains a new Non-ESP Marker field that allows the receiver to distinguish between UDP-encapsulated ESP-protected traffic and NAT-T IKE messages.

NAT-T consists of the following elements used during quick mode:

NAT-T for IKE and ESP consists of the following elements used when sending data:

The combination of these elements and additional processing steps allows:

Summary

IPSec is the standard method of providing security services for IP packets. The two protocols used for IP packet protection are AH and ESP. AH provides data origin authentication, data integrity, and replay protection for the entire IP packet, except for the fields in the IP header that are allowed to change. ESP provides data origin authentication, data integrity, data confidentiality, and replay protection for the ESP-encapsulated payload. To negotiate SAs for sending secure traffic, IPSec uses IKE, a combination of ISAKMP and the Oakley Key Determination Protocol. ISAKMP messages contain many types of payloads to exchange information during SA negotiation. Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations. Quick mode negotiation is used to establish the IPSec SA to protect data. IPSec NAT-T is a set of ISAKMP payloads and changes to the ISAKMP protocol that provides ESP protection for IPSec peers located behind a NAT.

Категории