Virtual Private Networks - Security @ HSR

1 .Internet Security 1 ( IntSi1 ) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 13 Virtual Private Networks

2 .Layer 2 versus Layer 3 versus Layer 4 Application layer ssh , S/MIME, PGP, Kerberos , WSS Transport layer TLS, [SSL] Network layer IPsec Data Link layer [PPTP, L2TP], IEEE 802.1X, IEEE 802.1AE, IEEE 802.11i (WPA2) Physical layer Quantum Communications Communication layers Security protocols

3 .Internet Security 1 ( IntSi1 ) 13.1 Point- to -Point Protocol (PPP)

4 .PPP PPP Encapsulation IP, IPX Payload PSTN (POTS / ISDN) IP, IPX Payload Private Network Public Switched Telephone Network Remote Client Remote Access Server Authentication using PAP (password), CHAP (challenge/response), or the Extensible Authentication Protocol (EAP) supporting e.g. token cards Optional PPP packet encryption (ECP) using preshared secrets Individual PPP packets are not authenticated The Link Control Protocol (LCP), as well as EAP and ECP are not protected !! PPP – based Remote Access using Dial – In

5 .The PPP Encryption Control Protocol (ECP) The Encryption Control Protocol (ECP, RFC 1968) uses the same packet exchange mechanism as the Link Control Protocol (LCP, RFC 1661). ECP packets may not be exchanged until PPP has reached the Network-Layer Protocol phase and should wait for an optional Authentication phase. Exactly one ECP packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x8053 . An encrypted packet is encapsulated in the PPP Information field, where the PPP Protocol field indicates type 0x0053 (Encrypted datagram). Compression may also be negotiated using the Compression Control Protocol (CCP, RFC 1962). ECP implementations should use the PPP Triple-DES Encryption Protocol (3DESE, RFC 2420). DES-EDE3-CBC with a 168 bit key is used. 0x8053 Code ID Length ECP Options (algorithm, IV) Seq. Nr 0x0053 Ciphertext

6 .The PPP Extensible Authentication Protocol (EAP) Some of the authentication types supported by EAP (RFC 2284): 1 Identity 4 MD5-Challenge 5 One-Time Password (OTP, RFC 2289) 6 Generic Token Card 9 RSA Public Key Authentication 13 EAP-TLS (RFC 2716, supported by Windows XP) 15 RSA Security SecurID EAP 17 EAP-Cisco Wireless 18 Nokia IP smart card authentication 23 UMTS Authentication and Key Argreement 24 EAP-3Com Wireless 25 PEAP (Protected EAP, supported by Windows XP) 29 EAP-MSCHAP-V2 (supported by Windows XP) 35 EAP-Actiontec Wireless 36 Cogent Systems Biometrics Authentication EAP 0xC227 Code ID Length Type Data

7 .Internet Security 1 ( IntSi1 ) 13.2 Layer 2/3/4 VPNs

8 .Layer 2 Tunneling Protocol (L2TP) IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN PPP over PSTN PPP IP, IPX Payload PSTN Layer 2 IP UDP Port 1701 over IP UDP L2TP PPP IP, IPX Payload Layer 3 L2TP LNS LAC L2TP Tunnel PPP IP, IPX Payload Compulsory Mode

9 .Layer 2 Tunneling Protocol (L2TP) Voluntary Mode UDP Port 1701 over IP IP UDP L2TP PPP IP, IPX Payload IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN L2TP LNS LAC L2TP Tunnel PPP IP, IPX Payload Layer 2 Connection (Wire) PPP PPP over PSTN IP UDP L2TP PPP IP, IPX Payload PSTN

10 .Layer 3 Tunnel based on IPSec IP Payload Private Network Internet IP ISP VPN Client VPN Gateway PSTN IPsec Tunnel IP ESP IP Payload PPP PSTN IP ESP IP Payload

11 .L2TP over IPsec (RFC 3193) – Voluntary Mode IP ESP IPSec Transport Mode UDP L2TP PPP IP, IPX Payload IP, IPX Payload Private Network Internet IP ISP NAS Remote Client Network Access Server PSTN L2TP LNS LAC L2TP Tunnel PPP IP, IPX Payload Layer 2 Connection (Wire) PPP PPP over PSTN IP ESP UDP L2TP PPP IP, IPX Payload

12 .IP Payload Private Network Internet IP ISP SSL/TLS Browser with Plugin SSL/TLS Proxy Server PSTN PPP IP PSTN TCP* SSL IP Payload SSL/TLS Tunnel IP TCP* SSL IP Payload Layer 4 Tunnel based on SSL/TLS *OpenVPN uses SSL over UDP

13 .Layer 2 – L2TP Same login procedure as PPP (preshared secrets, RADIUS, etc.) Same auxiliary information as with PPP (virtual IP, DNS/WINS servers) No strong security without IPsec, LCP can be cheated into establishing no encryption. Non-authenticated L2TP packets prone to replay attacks. Layer 3 – IPSec Cryptographically strong encryption and authentication of VPN tunnel Can negotiate and enforce complex VPN access control policies XAUTH and IKEv2-EAP authentication offer PPP-like features Does not allow the tunneling of non-IP protocols (IPX, etc.) Complex connection setup, PKI management overhead Layer 4 - TLS Clientless and simple: Internet Browser plus Java Applets or Plugin. Cryptographically strong encryption and authentication of VPN tunnel Access to certain applications need special plugin (still clientless?) Layer 2/3/4 VPNs – Pros and Cons

14 .Internet Security 1 ( IntSi1 ) 13.3 Multi-Protocol Label Switching (MPLS)

15 .IP-Network of a Service Provider MPLS based Virtual Private Networks IP L A IP L A L 1 IP L A L 3 IP L A L 5 IP L B IP L B IP L B L 2 IP L B L 4 IP L B L 6 IP L A User B E1 E2 E3 E4 N1 N3 User A User B User A

16 .MPLS Layer 2 Shim Header (RFC 3032) 20 Bits Class of Service, 3 Bits Bottom of Stack, 1 Bit Time to Live, 8 Bits Label CoS B TTL 4 Bytes

17 .Internet Security 1 ( IntSi1 ) 13.4 IPsec Transport Mode

18 .Internet IPsec – Transport Mode 194.230.203.86 160.85.128.3 IP connection secure IP datagrams should be authenticated IP datagrams should be encrypted and authenticated

19 .IPsec – Transport Mode IP Authentication Header (AH) IP protocol number for AH: 51 Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum Original IP Header TCP Header Data IPv4 Before applying AH AH: RFC 4302 After applying AH IPv4 authenticated except for mutable fields Original IP Header AH Header TCP Header Data

20 .IPsec – Transport Mode IP Encapsulating Security Payload (ESP) IP protocol number for ESP: 50 ESP authentication is optional With ESP authentication the IP header is not protected. Original IP Header TCP Header Data IPv4 Before applying ESP ESP: RFC 4303 Original IP Header ESP Header IPv4 After applying ESP encrypted authenticated TCP Header Data ESP Trailer ESP Auth

21 .Internet Security ( IntSi1) 13.5 IPsec Tunnel Mode

22 .Internet IPsec – Tunnel Mode Virtual Private Network (VPN) 10.1.0.2 10.1.0.3 10.1.0.1 Subnet 10.1.0.0/16 10.2.0.2 10.2.0.3 10.2.0.1 Subnet 10.2.0.0/16 194.230.203.86 160.85.180.0 Security Gateway Security Gateway secure IP tunnel

23 .IPsec Tunnel Mode using ESP Original IP Header TCP Header Data IPv4 Before applying ESP IP protocol number for ESP: 50 ESP authentication is optional but often used in place of AH Original IP Header is encrypted and therefore hidden Outer IP Header ESP Header IPv4 After applying ESP encrypted authenticated Original IP Header TCP Header Data ESP Trailer ESP Auth Encapsulating Security Payload (ESP): RFC 4303

24 .ESP Header (Initial Header / Payload / Trailer) encrypted authenticated After applying ESP Security Parameters Index (SPI) Anti-Replay Sequence Number Payload Data (variable, including IV) Padding (0-255 bytes) Authentication Data (variable) 0 1 2 3 4 bytes Next Header Pad Length

25 .IPsec Tunnel Mode CBC Packet Overhead Outer IP Header AES_XCBC_96 HMAC_SHA1_96 SPI / Seq. Number 3DES_CBC IV AES_CBC IV 3DES_CBC max Pad AES_CBC max Pad Pad Len / Next Header HMAC_SHA2_256_128 HMAC_SHA2_384_192 HMAC_SHA2_512_256 20 8 8 16 7 15 12 2 12 16 24 32 12 12 16 24 32 12 12 16 24 32 20 20 20 20 20 20 20 20 20 20 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 16 16 16 16 16 7 7 7 7 7 15 15 15 15 15 2 2 2 2 2 2 2 2 2 2 50 50 54 Best Case Overhead 62 70 58 58 62 70 78 Bytes Worst Case Overhead 57 57 61 69 77 73 73 77 85 93

26 .Authenticated Encryption with Associated Data (AEAD) AEAD is based on special b lock c ipher m odes : Block size : 128 bits Key size : 128/256 bits Tag size : 128/96/64 bits Nonce size : 96 bits 32 bits 64 bits 32 bits Recommended AEAD Modes : AES-Galois/Counter Mode AES-GMAC (auth. o nly ) Alternative AEAD Modes : AES-CCM CAMELLIA-GCM CAMELLIA-CCM Salt IV Counter Salt IV 0 Salt IV 1 Salt IV 2 Key K Key K Hash Subkey H 0………………..0 Key K Hash Subkey Derivation

27 .IPsec Tunnel Mode AEAD Packet Overhead Outer IP Header AES_GCM_96 Tag AES_GCM_64 Tag Security Parameter Index AES_GCM IV AES_CNT max Pad Pad Len / Next Header 20 8 8 3 8 2 12 8 12 20 20 20 8 8 8 8 8 8 2 2 2 46 50 54 Best Case Overhead Bytes Worst Case Overhead 49 53 57 3 3 3 AES_GCM_128 Tag 16 16 Additional Authenticated Data: Sequence Number 0 1 2 3 Security Parameter Index Extended Sequence Number 0 1 2 3 SPI / Seq. Number or

28 .IPsec Tunnel Mode using AH Original IP Header TCP Header Data IPv4 Before applying AH IP protocol number for AH: 51 Mutable fields: Type of Service (TOS), Fragment Offset, Flags, Time to Live (TTL), IP header checksum ESP can be encapsulated in AH Outer IP Header AH Header IPv4 After applying AH authenticated Original IP Header TCP Header Data Authentication Header (AH): RFC 4302