318 0944_05F9_c1
1
© 1999, Cisco Systems, Inc.
Advanced Security Technology Concepts Session 318
318 0944_05F9_c1 © ...
55 downloads
714 Views
1MB Size
Report
This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form
318 0944_05F9_c1
1
© 1999, Cisco Systems, Inc.
Advanced Security Technology Concepts Session 318
318 0944_05F9_c1 © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
2
1
What Is Cryptography • A way of keeping information private • Provides authentication and integrity • Nonrepudiation • Requires key management • A communications enabler • Communication with confidence 318 0944_05F9_c1
3
© 1999, Cisco Systems, Inc.
Agenda
• Encryption Concepts and Terminology • The PKI and CEP • A Day In the Life of an IPSec Packet • IPSec Implementation Issues
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
4
2
Encryption Concepts and Terminology
318 318 0944_05F9_c1 0944_05F9_c1 ©©1999, 1999,Cisco CiscoSystems, Systems,Inc. Inc.
55
Confidentiality
• Confidentiality—communicating such that the intended recipients know what was being sent but unintended parties cannot determine what was sent
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
6
3
Keys Pub
Pub
Pri
Pri
WAN DES
DES
• Each device has three keys: 1. A private key that is kept secret and never shared. Used to sign messages 2. A public key that is shared. Used by others to verify a signature 3. A shared secret key that is used to encrypt data using a symmetric encryption algorithm (e.g., DES) 318 0944_05F9_c1
7
© 1999, Cisco Systems, Inc.
Key Sizes Estimated Time for Brute-Force Attack (1995) on Symmetric Keys Cost 40 100 K 2 secs 1M .2 secs 10 M .02 secs 100 M 2 millisecs 1 B .2 millisec
318 0944_05F9_c1
56 64 80 35 hours 1 year 70,000 yrs 3.5 hours 37 days 7000 years 21 mins 4 days 700 years 2 mins 9 hours 70 years 13 secs 1 hour 7 years
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
112 1014 yrs 1013 yrs 1012 yrs 1011 yrs 1010 yrs
128 1019 yrs 1018 yrs 1017 yrs 1016 yrs 1015 yrs
8
4
Asymmetric or Public-Key Encryption Public Key
Networkers
Private Key
Encryption
&^$!@#l:{Q
Decryption
Networkers
• Encryptor and decryptor use different mathematical functions • Encryptor and decryptor use different keys • Example: Public key algorithms (RSA, Diffie-Hellman) • Generate a secret key 318 0944_05F9_c1
9
© 1999, Cisco Systems, Inc.
The Diffie-Hellman Public Key Exchange Alice
Secret Value, XA Public Value, YA
YA =g
XA
Secret Value, XB Public Value,
mod p
Bob
YB = g XB mod p YA YB
YB
XA
mod p = g
XA XB
mod p = YA
XB
mod p
(Shared Secret) g is a large prime p size is based on D-H group 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
10
5
Diffie-Hellman Example Host A
Host B
prime p = 5, primitive g = 3
prime p =5, primitive g = 3
Choose Xa such that
Choose Xb such that
0 <= Xa < p, Xa = 2
0 <= Xb < p, Xb =4
Ya = g ^Xa mod p
Yb = g^Xb mod p
= 3^2 mod 5
= 3^4 mod 5
=4
=1
Exchange Values
Exchange Values
p, g, Ya
p, g, Yb
Ke = Yb^ Xa mod p
Ke = Ya^Xb mod p
= 1^2 mod 5
= 4^4 mod 5
=1
=1
318 0944_05F9_c1
11
© 1999, Cisco Systems, Inc.
Symmetric Encryption
Secret Key
Networkers
Encryption
Secret Key
&^$!@#l:{Q
Decryption
Networkers
• Encryption and decryption use same mathematical function • Encryption and decryption use same key • Example: Data Encryption Standard (DES, IDEA RC2, RC4) 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
12
6
DES Encryption
Clear-Text
Original Clear-Text
Cipher-Text
Networkers Encryption &^$!@#l:{Q Decryption
Networkers
• Peer routers now have identical keys • DES encryption turns cleartext into ciphertext • Decryption restores cleartext from ciphertext 318 0944_05F9_c1
13
© 1999, Cisco Systems, Inc.
DES Transforms—CFB IV
EK
C i-1 318 0944_05F9_c1
P i+1
Pi
EK
Ci
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
C i+1
14
7
DES Transforms—CBC
318 0944_05F9_c1
IV
Pi
P i+1
EK
EK
EK
C i-1
Ci
C i+1 15
© 1999, Cisco Systems, Inc.
DES Explained 64 bit block plain text
56 bit Key
Initial Permutation 32 bits 32 bits Shift 28 bits
L
Shift 28 bits
R i-1
i-1
Expansion Permutation
Compression Permutation Choose 48 bits
XOR S-Box Substitution
P-Box Permutation
XOR
L 318 0944_05F9_c1
i
56 bit Key Ri
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
16
8
Integrity
• Integrity—ensuring that data is transmitted from source to destination without undetected alteration
318 0944_05F9_c1
17
© 1999, Cisco Systems, Inc.
Message-Digest Algorithms • Secret key and message are hashed together • Recomputation of digest verifies that message originated with peer and that message was not altered in transit
“Secret Key”
ge Messa
Hash Function
• Also used in digital signatures • Examples HMAC-MD5, HMAC-SHA 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hash
18
9
Hash Algorithms MD5
SHA
• Produces a 128 bit hash value • Input 512 bit block split as 16 x 32 bit blocks • Output is 4 x 32 bit blocks concatenated • 4 Chaining variables • 4 rounds of 16 operations with 4 functions per round
• Produces a 160 bit hash value • Input 512 bit block split as 16 x 32 bit blocks, expanded to 80 x 32 bit blocks • Output is 5 x 32 bit blocks concatenated • 5 Chaining variables • 4 rounds of 20 ops
318 0944_05F9_c1
19
© 1999, Cisco Systems, Inc.
Authentication
• Authentication—Knowing that the data received is the same as the data that was sent and that the claimed sender is in fact the actual sender.
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
20
10
Digital Signatures ge Messa
One-way function. Easy to produce hash from message, “impossible” to produce message from hash
Hash Function
Alice Alice
Hash of Message
Sign Hash with Private Key
s74hr7sh7040236fw 7sr7ewq7ytoj56o457
Signature = “Encrypted” Hash of Message 318 0944_05F9_c1 0872_05F7_c1
21
© 1999, Cisco Systems, Inc.
Signature Verification Message
Decrypt the Received Signature Signature ee A Alilicc
M es sa
ge
Re-Hash the Received Message
Hash Function
Decrypt Using Alice’s Public Key
Hash of Message
318 0944_05F9_c1
Signature Message with Appended Signature
If Hashes are Equal, Signature is Authentic
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Hash Message
22
11
Digital Envelope ge Messa
rreett S Seecc
rreett S Seecc
b B Boob
rreett S Seecc
Boobb B
+ Alice Encrypts Message with a Random Secret Key
Encrypt the Secret Key with Bob’s Public Key
Bob Decrypts the Secret Key with His Private Key, then Decrypts the Message
Used During CA Transactions 318 0944_05F9_c1
23
© 1999, Cisco Systems, Inc.
PKI and CEP
318 0944_05F9_c1 © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
24
12
PKI Components Registration and Certification Issuance
Certificate Authority Certificate Revocation
Key Recovery Key Generation
Certificate Distribution Trusted Time Service
Key Storage
Support for NonRepudiation 318 0944_05F9_c1
25
© 1999, Cisco Systems, Inc.
Certificate Life Cycle and Management—PKIX
Initialization Certification Useful Life Expiration 318 0944_05F9_c1
Revocation
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
26
13
Certificates and CAs BANK
Internet • Certificate Authority (CA) verifies identity • CA signs digital certificate containing device’s public key • Verisign On-Site, Entrust PKI, Netscape CA, Microsoft CA 318 0944_05F9_c1
27
© 1999, Cisco Systems, Inc.
X.509v3 Certificate • Binds user identity (Subject Name) to a public key via signature • Issuer (CA) signs cert • Note cert has defined lifetime • Identifies which signature algorithm was used to sign cert • Extension fields allow other information to be bound to cert (e.g., subject’s clearances)= 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Certificate :: = { Version (v3) Serial Number Sign Algorithm ID Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions Signature }
28
14
Enrolling a Device with a CA Home-gw 10.1.2.3 Home-gw 10.1.2.3
• • • • 318 0944_05F9_c1
Generate public/private keys Send certificate request to CA CA signs certificate Retrieve certificate from CA 29
© 1999, Cisco Systems, Inc.
Certificate Revocation List • List of revoked certificates signed by CA • Stored on CA or directory service • No requirement on devices to ensure CRL is current 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Revoked Cert 12345 Cert 12241 Cert 22333
30
15
CA Relationships—Hierarchy and Cross-Certification
CA
CA
CA CA
CA CA
Bob Carol
Alice Certificate (points issuer to subject) Cross Certificate 318 0944_05F9_c1
CA Certificate Authority Certificate User
© 1999, Cisco Systems, Inc.
31
Certificate Enrollment Protocol
• PKCS #7 for signing and enveloping • PKCS #10 for certificate request • HTTP and LDAP for transport • Requires manual authentication during enrollment • CRL distribution is manual 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
32
16
A Day In the Life of an IPSec Packet
318 0944_05F9_c1 © 1999, Cisco Systems, Inc.
33
IPSec Overview • Interoperable authentication, integrity and encryption IP (En D a t a cryp ted)
IPSec Header(s) IP AH/ESP He ad er
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
34
17
Authentication Header Firewall Router
All Data in Clear Text
• Data integrity—no twiddling of bits • Origin authentication—definitely came from Router • Uses keyed-hash mechanism • Does NOT provide confidentiality • Replay protection 318 0944_05F9_c1
35
© 1999, Cisco Systems, Inc.
AH Authentication and Integrity IP Header + Data
IP Header + Data
Authentication Data (00ABCDEF)
Authentication Data (00ABCDEF)
Firewall Router
318 0944_05F9_c1
IP HDR
AH
Data
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
36
18
IPSec Authentication Header (AH) • AH header is prepended to IP datagram or to upper-layer protocol
Next Payload RESERVED Header Length Security Parameter Index (SPI)
• IP datagram, part of AH header, and message itself are authenticated with a keyed hash function 318 0944_05F9_c1
Sequence Number Field
Authentication Data
© 1999, Cisco Systems, Inc.
37
Encapsulating Security Payload • Data confidentiality • Limited traffic flow confidentiality • Data integrity • Data origin authentication • Anti-replay protection • Does not protect IP Header 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
38
19
ESP Confidentiality and Integrity Encryption with a Keyed-MAC
Firewall Router
IP HDR ESP
Data
Authenticated Encrypted
318 0944_05F9_c1
39
© 1999, Cisco Systems, Inc.
IPSec Encapsulating Security Payload Header (ESP) • ESP header is prepended to IP datagram
Security Parameter Index (SPI)
• Confidentiality through encryption of IP datagram • Integrity through keyed hash function 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Sequence Number Field Initialization Vector Payload Data Padding (If Any) Pad Length
Next Header
Authentication Data
40
20
IPSec Modes IP HDR
DATA
Tunnel Mode New IP HDR IPSec HDR IP HDR
DATA Encrypted
IP HDR
DATA
Transport Mode IP HDR
IPSec HDR
DATA Encrypted
318 0944_05F9_c1
41
© 1999, Cisco Systems, Inc.
Security Association (SA) Firewall Router Insecure Channel
• Agreement between two entities on method to communicate securely • Unidirectional—two-way communication consists of two SAs 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
42
21
Security Associations Enable Your Chosen Policy Tunnel-Mode AH-HMAC-SHA PFS 50 Transport-Mode ESP-DES-HMAC-MD5 PFS 15
318 0944_05F9_c1
43
© 1999, Cisco Systems, Inc.
IPSec Security Association (SA) Destination Address
205.49.54.237
Security Parameter Index (SPI)
7A390BC1
IPSec Transform
318 0944_05F9_c1
AH, HMAC-MD5
Key
7572CA49F7632946
Additional SA Attributes (e.g., lifetime)
One Day or 100MB
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
44
22
IKE • Negotiates policy to protect communication • Authenticated Diffie-Hellman key exchange • Negotiates (possibly multiple) security associations for IPSec • A flavor of ISAKMP/Oakley for IPSec • Provides PFS 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
45
Perfect Forward Secrecy (PFS) • Compromise of a single key will permit access to only data protected by that particular key • IKE provides PFS if required by using Diffie-Hellman for each rekey • If PFS not required, can refresh key material without using Diffie-Hellman 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
46
23
IKE Authentication • Signatures (RSA or DSS) Diffie-Hellman secret, identity, hashed together and signed Nonrepudiable proof of communication
• Encrypted nonces (RSA only) Pseudo-random nonce encrypted in other party’s public key Nonces, Diffie-Hellman secret, identities hashed Repudiable, deniable exchange
• Preshared key Key is agreed-upon out-of-band Key, Diffie-Hellman secret, identities hashed Limited applicability 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
47
Cisco IOS ® IPSec Configuration ! These are the SA policies that will be proposed during Phase 1. ! The policy with the highest priority that is acceptable to each ! peer is chosen
crypto isakmp policy 2 authentication pre-share ! If we are using pre-shared keys they must be ! manually defined on each peer
crypto isakmp key 1234 address 192.168.0.6 crypto isakmp key fred address 192.168.0.20 ! These are the transforms or algorithms to be proposed for use ! by IPSec. They may include both an AH and ESP mechanism or ! one of either mechanism. Tunnel Mode is the default.
crypto ipsec transform-set test2 esp-des crypto ipsec transform-set router esp-des espsha-hmac mode transport 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
48
24
Cisco IOS IPSec Configuration ! If certain traffic matches the rules in access-list 101, then apply ! the crypto map or template. The map is called test1, it requires ! SA’s for both ISAKMP and IPSec. The appropriate peer is ! 192.168.0.20 (Fred) and the transform-sets router and test2 ! should be proposed to Fred in order to find the best match to ! be the basis of the IPSec SA. The ISAKMP SA’s will be based ! on the ISAKMP policies defined earlier in the config
crypto map test1 10 ipsec-isakmp set peer 192.168.0.20 set transform-set router test2 match address 101 ! Apply the crypto map to an interface
interface Ethernet0 ip address 192.168.0.2 255.255.255.0 crypto map test1 access-list 101 permit ip host 192.168.0.2 host 192.168.0.20 318 0944_05F9_c1
49
© 1999, Cisco Systems, Inc.
Establishing the IKE SA SA Request IPSec (triggered by ACL) Fred Wilma IKE SA Offer—des, sha, rsa sig, D-H group 1, lifetime Policy Match accept offer ISAKMP Phase 1 Oakley Main Mode
In the Clear
Fred D-H exchange : KE, nonce Wilma D-H exchange : KE, nonce Fred Authenticate D-H apply Hash Wilma Authenticate D-H apply Hash
Protected
IKE Bi-Directional SA Established 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
50
25
Establishing IPSec SAs
Fred
Wilma IPSec SA Offer—transform, mode,pfs, authentication,lifetime Policy Match accept offer ISAKMP Phase 2 Oakley Quick Mode
Fred D-H exchange or refresh IKE key
Protected by the IKE SA
Wilma D-H exchange or refresh IKE key IPSec Outbound SA Established IPSec Inbound SA Established
318 0944_05F9_c1
51
© 1999, Cisco Systems, Inc.
A Day Debug IKE with preshared keys… Fred proposes using esp-des to Wilma, access-list 101 triggers the IPSec requirement. fred#telnet 192.168.0.2 Trying 192.168.0.2… 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
52
26
A Day Debug Traffic matching an ACL specification triggers a policy formulation by the sender. If more than one policy exists for a particular destination, then gather all relevant policies. IPSEC(sa_request): , (key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2, src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004 318 0944_05F9_c1
53
© 1999, Cisco Systems, Inc.
A Day Debug ISAKMP Phase One using Oakley Main Mode. Negotiate an ISAKMP security association (policy). This SA will protect any key and/or parameter negotiation required by other services such as IPSec. ISAKMP (26): beginning Main Mode exchange ISAKMP (26): processing SA payload. message ID = 0 ISAKMP (26): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption DES-CBC ISAKMP: hash SHA ISAKMP: default group 1 ISAKMP: auth pre-share ISAKMP (26): atts are acceptable. Next payload is 0 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
54
27
A Day Debug Exchange public/shared keys and nonces. This is the actual Diffie-Hellman shared secret calculation. Process KE which is the pre-shared key information, then process the nonces and generate the shared key SKEYID which will be used as the actual encryption key. CRYPTO: DH gen phase 1 status for conn_id 26 slot 0:OK ISAKMP (26): SA is doing pre-shared key authentication ISAKMP (26): processing KE payload. message ID = 0 CRYPTO: DH gen phase 2 status for conn_id 26 slot 0:OK ISAKMP (26): processing NONCE payload. message ID = 0 ISAKMP (26): SKEYID state generated 318 0944_05F9_c1
55
© 1999, Cisco Systems, Inc.
A Day Debug
Next, authenticate the Diffie-Hellman Exchange using SHA as the hash algorithm to make sure the payload information has not be intercepted and tampered with. ISAKMP (26): processing ID payload. message ID = 0 ISAKMP (26): processing HASH payload. message ID = 0 ISAKMP (26): SA has been authenticated
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
56
28
A Day Debug Now, negotiate an SA for IPSec This is ISAKMP Phase 2 using Oakley Quick Mode ISAKMP (26): beginning Quick Mode exchange, M-ID of -652741699 IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 258023605 for SA from 192.168.0.2 to 192.168.0.20 for prot 3 ISAKMP (26): processing SA payload. message ID = -652741699 ISAKMP (26): Checking IPSec proposal 1 ISAKMP: transform 1, ESP_DES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600
318 0944_05F9_c1
57
© 1999, Cisco Systems, Inc.
A Day Debug ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP (26): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 192.168.0.2, src= 192.168.0.20, dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
58
29
A Day Debug
Generate a shared key for encryption for IPSec. Generally the original D-H generated shared secret key is refreshed via combining it with a random value (another nonce) as shown below. ISAKMP (26): processing NONCE payload. message ID = 652741699 ISAKMP (26): processing ID payload. message ID = -652741699 ISAKMP (26): processing ID payload. message ID = -652741699
318 0944_05F9_c1
59
© 1999, Cisco Systems, Inc.
A Day Debug ISAKMP (26): Creating IPSec SAs inbound SA from 192.168.0.2 to 192.168.0.20 (proxy 192.168.0.2 to 192.168.0.20 ) has spi 258023605 and conn_id 27 and flags 4 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 192.168.0.20 to 192.168.0.2 (proxy 192.168.0.20 to 192.168.0.2 ) has spi 251200955 and conn_id 28 and flags 4 lifetime of 3600 seconds lifetime of 4608000 kilobytes IPSEC(key_engine): got a queue event...
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
60
30
A Day Debug IPSEC(initialize_sas): , (key eng. msg.) dest= 192.168.0.20, src= 192.168.0.2, dest_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), src_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0xF6120B5(258023605), conn_id= 27, keysize= 0, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 192.168.0.20, dest= 192.168.0.2, src_proxy= 192.168.0.20/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.0.2/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-des , lifedur= 3600s and 4608000kb, spi= 0xEF905BB(251200955), conn_id= 28, keysize= 0, flags= 0x4 318 0944_05F9_c1
61
© 1999, Cisco Systems, Inc.
A Day Debug Each SA is unidirectional so we need to see two SA’s created on each participating peer, one outbound and one inbound : IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.20, sa_prot= 50, sa_spi= 0xF6120B5(258023605), sa_trans= esp-des , sa_conn_id= 27 IPSEC(create_sa): sa created, (sa) sa_dest= 192.168.0.2, sa_prot= 50, sa_spi= 0xEF905BB(251200955), sa_trans= esp-des , sa_conn_id= 28 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
62
31
Using a CA— Entrust Configuration • • • • • • • 318 0944_05F9_c1
ip domain-name cisco.com crypto isakmp policy 4 crypto ca identity cisco.com enrollment mode ra enrollment url http://10.0.0.2/cgi-bin query url ldap://10.0.0.2 crl optional © 1999, Cisco Systems, Inc.
63
CA and CEP Example Step 1—Generate Public/Private Keys barney(config)#crypto key gen rsa usage The name for the keys will be: barney.cisco.com Choose the size of the key modulus in the range of 360 to 2048 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK] Choose the size of the key modulus in the range of 360 to 2048 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: Generating RSA keys ... [OK] 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
64
32
CA and CEP Example Step 1—Generate Public/Private Keys barney#sho crypto key mypublic rsa % Key pair was generated at: 01:18:43 UTC Mar 1 1999 Key name: barney.cisco.com Usage: Signature Key Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00BEDC6C FBD327FC 2AFC7521 F2DE3D04 D3239759 7908C8F1 64F0E58F 0116CF6A 897D6210 2D4BFC80 CE41DF7B AA75ECAA 6680B13F 30F079BE DD361565 A325B72A 3D020301 0001 % Key pair was generated at: 01:18:45 UTC Mar 1 1993 Key name: barney.cisco.com Usage: Encryption Key Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C06DC2 3AE2BF72 CE9FD6F6 55C13A0D A3C183D5 1E7E4523 E8863DDC D852FD32 86461BBC F10EEA77 8A6A5AC9 AFEF6B0A 03107565 03384DB4 4E6C4A77 0C594B10 31020301 0001
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
65
CA and CEP Example Step 2—Request the CA and RA Certificates Manually verify Fingerprint of CA barney(config)#cryp ca auth cisco.com Certificate has the following attributes: Fingerprint: 1A5416D6 2EEE8943 D11CCEE1 3DEE9CE7 % Do you accept this certificate? [yes/no]: y
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
66
33
CA and CEP Example Step 2—Request the CA and RA Certificates Manually verify Fingerprint of CA
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
67
CA and CEP Example Step 3—Enrol the Router with the CA barney(config)#cry ca enrol cisco.com % Start certificate enrollment .. % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password: Re-enter password: % The subject name in the certificate will be: barney.cisco.com % Include the router serial number in the subject name? [yes/no]: n % Include an IP address in the subject name? [yes/no]: n Request certificate from CA? [yes/no]: y 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
68
34
CA and CEP Example Step 3—Enrol the Router with the CA Fingerprints sent to CA for manual verification barney(config)# Signing Certificate Request Fingerprint: 4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB Encryption Certificate Request Fingerprint: D33447FE 71FF2F24 DA98EC73 822BE4F7
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
69
CA and CEP Example Step 3—Enrol the Router with the CA Fingerprints sent to CA for manual verification
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
70
35
CA and CEP Example Step 4—CA grants Certificates Status Pending -> Available barney#sho cryp ca cert Certificate Subject Name Name: barney.cisco.com Status: Pending Key Usage: Signature Fingerprint: 4C6DB57D 7CAF8531 7778DDB3 CCEB1FFB Certificate Subject Name Name: barney.cisco.com Status: Pending Key Usage: Encryption Fingerprint: D33447FE 71FF2F24 DA98EC73 822BE4F7 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
71
CA and CEP Example Step 4—CA grants Certificates
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
72
36
Certificate Debug
00:02:29: ISAKMP (2): Checking ISAKMP transform 1 against priority 5 policy 00:02:29: ISAKMP: encryption DES-CBC 00:02:29: ISAKMP: hash MD5 00:02:29: ISAKMP: default group 1 00:02:29: ISAKMP: auth RSA sig
318 0944_05F9_c1
73
© 1999, Cisco Systems, Inc.
Certificate Debug
00:02:29: ISAKMP (2): atts are acceptable. Next payload is 0 00:02:29: ISAKMP (2): SA is doing RSA signature authentication 00:02:29: ISAKMP (2): processing KE payload. message ID = 0 00:02:29: ISAKMP (2): processing NONCE payload. message ID = 0 00:02:29: ISAKMP (2): SKEYID state generated 00:02:30: ISAKMP (2): processing ID payload. message ID = 0 00:02:30: ISAKMP (2): processing CERT payload. message ID = 0 00:02:30: ISAKMP (2): processing a CT_X509_SIGNATURE cert 00:02:30: ISAKMP (2): cert approved with warning 00:02:30: ISAKMP (2): processing CERT_REQ payload. message ID = 0 00:02:30: ISAKMP (2): peer wants a CT_X509_SIGNATURE cert 00:02:30: ISAKMP (2): processing SIG payload. message ID = 0 00:02:30: ISAKMP (2): SA has been authenticated with 10.0.0.3 00:02:30: ISAKMP (2): processing SA payload. message ID = 1451572340
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
74
37
IPSec Implementation Issues
318 318 0944_05F9_c1 0944_05F9_c1 ©©1999, 1999,Cisco CiscoSystems, Systems,Inc. Inc.
75 75
IPSec and Scaling Famous IPSec IPSec
192.168.100.0
.2 172.21.115.0 172.21.114.0 Charlie
.1
.1
HQ
.2 IPSec IPSec
.1
Detective .2
172.21.116.0
IPSec IPSec
192.168.150.0
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
76
38
Scaling Example 1 Central Site Router crypto map HQ 10 ipsec-isakmp set peer 172.21.115.1 set peer 172.21.116.1 set transform-set encrypt-des match address 101
318 0944_05F9_c1
77
© 1999, Cisco Systems, Inc.
Scaling Example 2 Central Site Router crypto map HQ 10 ipsec-isakmp set peer 172.21.115.1 set transform-set encrypt-des match address 101 crypto map HQ 20 ipsec-isakmp set peer 172.21.116.1 set transform-set encrypt-des match address 102 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
78
39
Scaling Example 3 Central Site Router
crypto dynamic-map AcceptRemote 20 set transform-set encrypt-des crypto map dynamicHQ 10 ipsecisakmp dynamic AcceptRemote
318 0944_05F9_c1
79
© 1999, Cisco Systems, Inc.
Scaling for Large Networks Options
• Multihop encryption • Tunnel endpoint discovery • All-or-nothing approach • Registration server
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
80
40
Enable Mobile Users with Layer 2TP and IPSec IPSec and IKE PPP Layer 2TP 1. Client dials ISP uses PPP via modem 2. Client “dials” gateway using Layer 2TP via VPN port 3. AAA and assign configuration by gateway 4. IPSec transport mode established between client and gateway 318 0944_05F9_c1
81
© 1999, Cisco Systems, Inc.
Enable Mobile Users with Mode Config IKE Extension IKE SA
PPP
IPSec SAs ISAKMP Transaction Exchange
1. Dial ISP using PPP via modem 2. Establish the IKE SA with gateway 3. Send ISAKMP_CFG_REQUEST to gateway 4. Gateway sends ISAKMP_CFG_REPLY 5. Client has internal attributes, establish IPSec SAs 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
82
41
IPSec, NAT and Cisco IOS Firewall 10.0.0.0 255.255.255.240 .2 .20
172.17.11.0 255.255.255.0 .1
.6 .1
192.168.1.0 255.255.255.0 .2
.1 .2
LO0: 30.30.30.30 255.255.255.0 Cisco IPSec Peer
.12
IRE Client Workstation IPSec Peer
192.168.0.0 255.255.255.0
318 0944_05F9_c1
83
© 1999, Cisco Systems, Inc.
IPSec, NAT and Cisco IOS Firewall version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname wilma ! enable secret 5 $1$baf6$1VAnALbAuaJheCXi.u3fV0 enable password cisco ! ip subnet-zero ! NAT Config – translate all inside source addresses matching access! list 1 to those addresses defined in the pool outside. Also define a !static translation for the inside web server 192.168.0.20 ip nat pool outside 172.17.1.30 172.17.1.50 netmask 255.255.255.0 ip nat inside source list 1 pool outside ip nat inside source static 192.168.0.20 172.17.1.20 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
84
42
IPSec, NAT and Cisco IOS Firewall ! IOS Firewall Timeout declarations ip inspect name firewall tcp timeout 3600 ip inspect name firewall udp timeout 15 ! ! Define your IKE Policies. All will be offered to the Peer and the most ! secure match will be used crypto isakmp policy 1 hash md5 authentication pre-share ! ! If the peer can accept this policy, then it will be used as it is more ! secure than Policy 1 crypto isakmp policy 2 authentication pre-share group 2 lifetime 360 ! ! Define the Pre-Shared Keys of your Peers crypto isakmp key ciscosys address 10.0.0.6 318 0944_05F9_c1
85
© 1999, Cisco Systems, Inc.
IPSec, NAT and Cisco IOS Firewall ! IPSec policies are defined here. These include your AH and ESP ! choices as well as the mode of operation. crypto ipsec transform-set dessha esp-des esp-sha-hmac crypto ipsec transform-set ahmd5 ah-md5-hmac crypto ipsec transform-set desmd5tr esp-des esp-md5-hmac mode transport crypto ipsec transform-set desmd5 esp-des esp-md5-hmac ! ! When dealing with multiple clients a dynamic crypto map can be ! used so that the peers identity need not be defined here. Note ! that this router must still authenticate the incoming client via ! either a Pre-Shared key, or a certificate. This is the dynamic ! map’s template. crypto dynamic-map remotes 1 set transform-set desmd5 match address 120 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
86
43
IPSec, NAT and Cisco IOS Firewall ! Regular crypto maps are defined here. The first map allows the ! use of PFS such that a brand new Diffie-Hellman exchange is ! performed during each IKE quick mode. The identity of this peer ! is defined by it’s loopback address. If the loopback is used it must ! be a public address, IPSec is done first, then NAT crypto map iosirepfs local-address Loopback0 crypto map iosirepfs 1 ipsec-isakmp set peer 10.0.0.6 set transform-set desmd5 set pfs group1 match address 120 ! This crypto map uses the dynamic template defined above. crypto map iosirerem 1 ipsec-isakmp dynamic remotes
318 0944_05F9_c1
87
© 1999, Cisco Systems, Inc.
IPSec, NAT and Cisco IOS Firewall interface Loopback0 ip address 30.30.30.30 255.255.255.0 no ip directed-broadcast ! ! We want to use NAT and also make sure we trigger the ! IOS Firewall such that conversations initiated on the ! inside have a dynamic stateful (CBAC) access-list ! created. interface Ethernet0 ip address 192.168.0.1 255.255.255.0 ip access-group 110 in no ip directed-broadcast ip nat inside ip inspect firewall in
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
88
44
IPSec, NAT and Cisco IOS Firewall ! Inside source addresses are translated to the outside ! pool. All incoming traffic is examined by the ! firewall via access-group 111. For IPSec, the crypto ! map is applied. interface Serial0 ip address 192.168.1.1 255.255.255.0 ip access-group 111 in no ip directed-broadcast ip nat outside no ip mroute-cache no keepalive crypto map iosirerem
318 0944_05F9_c1
89
© 1999, Cisco Systems, Inc.
IPSec, NAT and Cisco IOS Firewall
! ACL for NAT translation, any source IP from the ! 192.168.0.0 subnet will be translated access-list 1 permit 192.168.0.0 0.0.0.255 ! ! ACL triggers CBAC on traffic initiated on the inside of ! the firewall access-list 110 permit tcp any any access-list 110 permit udp any any access-list 110 permit icmp any any
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
90
45
IPSec, NAT and Cisco IOS Firewall ! Before the firewall will allow traffic initiated on the outside in, ! that traffic must satisfy this list access-list 111 permit udp host 10.0.0.6 host 192.168.1.1 access-list 111 permit esp host 10.0.0.6 host 192.168.1.1 access-list 111 permit ahp host 10.0.0.6 host 192.168.1.1 access-list 111 permit tcp host 10.0.0.6 host 172.17.1.20 eq www access-list 111 permit icmp host 10.0.0.6 any access-list 111 permit udp host 10.0.0.6 host 172.17.1.20 eq tftp ! ! Encrypt any traffic matching these conditions. Note that the ! NAT’d addresses are the source addresses. access-list 120 permit ip 172.17.1.0 0.0.0.255 host 10.0.0.6
318 0944_05F9_c1
91
© 1999, Cisco Systems, Inc.
Configuring GRE Tunnels • crypto map my_crypto_map 10 set algorithm 40-bit-des set peer r3-4k match address 128
• interface Tunnel0 ip address 5.5.5.3 255.255.255.0 tunnel source Loopback0 tunnel destination 1.1.6.1 crypto map my_crypto_map • interface Serial0 ip address 2.2.5.3 255.255.255.0 crypto map my_crypto_map • access-list 128 permit gre host 2.2.6.3 host 1.1.6.1
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
92
46
VOIP and IPSec Internet
1750 Router name: vvpn_1 201.168.4.1
Phone Number: 1750-120
1750 Router name: vvpn_2 201.168.2.1
Phone Number: 1750-220
• IPSec ACL must specify WAN endpoints/subnets to facilitate RTP, H.225 • Port numbers used for VOIP may not be well-known and may be negotiated 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
93
VOIP and IPSec Notes • Due to additional headers and packet expansion,an RTP frame of G.729 encoded voice is 100 bytes across an IPSEC facility • At 50pps 100 byteframes, a 56kb link can only accommodate a single call (50 x 100bytes = 40kb) • RTP header compression is not available to IPSEC frames 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
94
47
VOIP and IPSec Notes
• RTP packets cannot be distinguished within an ESP encrypted flow. So interleaving between fragments is not possible • Increasing bandwidth for smaller packets sizes is good for IPSec and VOIP 318 0944_05F9_c1
95
© 1999, Cisco Systems, Inc.
QOS and IPSec
• Diff-serv—entire TOS byte is copied to the IPSEC header so precedence can be applied. The additional length may change the packet’s service characteristics • QOS must be implemented before IPSec 318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
96
48
Performance Model 1600 2500 2600 3640 4700 7206 7505 318 0944_05F9_c1
Suggested Bandwidth up to 64Kb - 128Kb up to 128Kb up to 512Kb up to 1.5Mb up to 2.0Mb up to 2.5Mb up to 6.0Mb 97
© 1999, Cisco Systems, Inc.
Encryption Performance Stats Model Baseline 2514
Auth. Encrypt Auth. and only only Encrypt. 0.1–1.0 0.16– 0.1–0.2 0.25 0.6–6.1 0.7–2.5 0.5–2.1
0.2– 0.3 3640 9.9+ 2.0– 4.0 4700 9.5–9.9 4.9– 1.4–9.1 1.5–3.1 1.1–2.6 5.3 7206 9.9+ 2.9– 1.0–9.1 1.1–3.5 0.9–2.9 5.5 7505* 9.9+ 9.2– 2.9–9.4 3.6–9.1 2.6–7.9 9.9 * The processing of IPSec is done on the RSP.
318 0944_05F9_c1
2.4–9.9
CET
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
Suggested Bandwidth up to 128 kbps up to 1.5 Mbps up to 2.0 Mbps up to 2.5 Mbps up to 6.0 Mbps
98
49
Reference Material • Applied Cryptography [2nd Edition], Bruce Schneier, Addison-Wesley • Cryptography and Network Security, William Stallings, Prentice Hall • Web Security and Commerce, Garfinkel and Spafford, O’Reilly • Internet Cryptography, Richard E Smith, Addison Wesley • Internet Drafts and RFCs—www.ieft.org, Public-Key Infrastructure and IP Security Protocol Charters 318 0944_05F9_c1
99
© 1999, Cisco Systems, Inc.
Please Complete Your Evaluation Form Session 318
318 0944_05F9_c1 © 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
100
50
318 0944_05F9_c1
© 1999, Cisco Systems, Inc.
Copyright © 1998, Cisco Systems, Inc. All rights reserved. Printed in USA. Presentation_ID.scr
101
51