overview of ikev2
play

Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 - PDF document

Feb 03, 2023 •468 likes •643 views

A n a l y s i s o f I K E Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 Radia Perlman A n a l y s i s o f I K E What we were trying to do Consolidate RFCs 2407, 2408, and 2409 in one document Not make gratuitous

  1. A n a l y s i s o f I K E Overview of IKEv2 Dan Harkins Charlie Kaufman Radia Perlman 1 Radia Perlman

  2. A n a l y s i s o f I K E What we were trying to do • Consolidate RFCs 2407, 2408, and 2409 in one document • Not make gratuitous changes • Simplify • Fix ambiguities (commit bit, meaning of major/minor version numbers) • Fix bugs (reflection attacks, lost messages) • Add flexibility where it seemed necessary (e.g., traffic selectors, critical bit) • Reduce latency • Allow stateless cookies 2 Radia Perlman

  3. A n a l y s i s o f I K E Basic IKEv2 • IKE SA+IPsec SA established in 4 messages • Exchange based on public signature keys • Hides both identities from passive attacker • 1st child-SA (ESP, AH, IPcomp) established during messages 3 and 4 of the IKE SA • Future child-SAs (new IPsec SA, or rekeying of IKE SA) established in 2 messages 3 Radia Perlman

  4. A n a l y s i s o f I K E Forward Compatibility • Version numbers - minor v# informational only. Ignored by node with smaller v# - major changed if protocol incompatible. Reject message if v# not supported - Rejection is unauthenticated - Major v# in header is v# of packet - Bit in header “I could do higher version” • Critical flag in payloads (so can add new payloads and decide if it’s appropriate to reject message with those, or skip that payload) • Critical bit only relevant for unknown payloads. All the ones in the IKEv2 draft are required to be known. 4 Radia Perlman

  5. A n a l y s i s o f I K E Reliability • All messages request/response • Messages have sequence numbers (not, as in IKEv1, random message IDs) • Initiator is responsible for retransmission if it doesn’t receive a reply • Multiple requests allowed in transit (e.g. in parallel setting up a bunch of child-SAs) • Window size stated (not negotiated) in SA payload, can be different in the two directions 5 Radia Perlman

  6. A n a l y s i s o f I K E Traffic Selectors in v2 • “ID” payload only for IKE SA • Child-SA uses “traffic selector” payload • Allows lists of IP address ranges, port ranges • Responder can narrow choice. Not just reject • Can choose subset of ranges, or subset within a range, or say “no, must be single address pair” 6 Radia Perlman

  7. A n a l y s i s o f I K E Cookies • Rather than defining IKE-SA by (c i , c r ), treat each side’s cookie like an SPI • Both appear in the header, so can reply to the other side’s SPI (can’t do that with ESP/AH) • Only difference on wire from v1 is order of cookies is reversed in the two directions • v1’s (c i , c r ): - potential collision (unlikely unless malice ) - Only unlikely because cookies are required to be randomly chosen (but makes stateless choice impossible) - “must be unique” (also prevents stateless) 7 Radia Perlman

  8. A n a l y s i s o f I K E Dead Peers, SA Lifetimes • Always allowed to forget IKE-SA and all child-SAs at any time (what you’d do if you crash) • Unauthenticated messages (ICMP, IKE “no such SPI”) raise suspicion about dead peer • If suspicious (rate-limited) send reliable IKE message. If no reply, then delete SA • No reason to negotiate lifetime • If delete, send (reliable IKE) delete notification • Deleting IKE SA automatically deletes all child-SAs • Deleting child-SA just deletes that child-SA 8 Radia Perlman

  9. A n a l y s i s o f I K E Rekeying • Either side can rekey at any time • Rekeying of either child-SA or IKE-SA is done by creating new SA, and then deleting the old one • Rekeyed IKE-SA inherits all the child-SAs 9 Radia Perlman

  10. A n a l y s i s o f I K E Encryption/Integrity Protection Format • Complex in IKEv1 and different from anything else, weird IV calculation • We liked the “encrypt and integrity protect this blob” syntax from the ESP spec better length depends on crypto IV alg, usually 8 bytes data encrypted padding encrypted pad length encrypted reserved 1 byte, must be zero integrity includes IKE header 10 Radia Perlman

  11. A n a l y s i s o f I K E Negotiating Security Parameters • SA payload in IKEv1 - very complex - exponential explosion • v2: - Simpler - Allows a proposal with “any of these algorithms for, say, encryption, with any of these algorithms for, say integrity”. Responder chooses one of each type of algorithm when accepting the P - I wanted to change the name from “SA” but got outvoted 11 Radia Perlman

  12. A n a l y s i s o f I K E Negotiating Traffic Restrictions • An IPsec policy thing: say “I want this SA to only carry traffic from these sources to these destinations, using these ports, etc • IKEv1: Responder can just say “no” • IKEv2: We added ability for responder to give subset, or say “single pair” • Also allows sets of ranges of addresses, ports 12 Radia Perlman

  13. A n a l y s i s o f I K E The Exchange • Our paper from a year ago recommended - have Bob prove ID first - and a 3-message exchange for public signature keys • Decided instead Alice should prove ID first - Else trivial to poll to see who is at an address • Decided 4 msgs better - piggybacking child-SA: Alice has better idea of appropriate policy - initiator has data to send. If no 4th msg, can’t know when OK to send the data - spec easier: reliability burden on initiator - can do stateless cookie without extra 2 msgs 13 Radia Perlman

  14. A n a l y s i s o f I K E The Exchange Alice Bob g A mod p, crypto proposal, N i , [certreq] g B mod p, crypto accepted, N r , [certreq] K=f(nonces, SPIs, g AB mod p) {“Alice”, sig on msgs 1/2, [cert], child}K {“Bob”, sig on msgs 1/2, [cert], child}K • Bob can optionally refuse 1st message and require return of stateless cookie, extra 2 msgs • If Alice repeats info in msg 3, can avoid extra 2 msgs 14 Radia Perlman

  15. A n a l y s i s o f I K E Create Child-SA Alice Bob {proposal, nonce, [g A mod p], TS} {proposal, nonce, [g B mod p], TS} • proposal = crypto suites, SPI, protocol (ESP, AH, and/or IPcomp) • TS=description of traffic to be sent • Derived keys=function of IKE keying material plus nonces in this exchange, plus output of optional Diffie-Hellman 15 Radia Perlman

  16. A n a l y s i s o f I K E Variants • Now that spec written, easy to modify • The exchange is easily changed • Things to consider - Bill Sommerfeld’s “birth certificate” - Different keys in the two directions for IKE - Specifying encryption/integrity format explicitly - Making stateless 4-message exchange - Preshared secret keys...weak secrets (SRP)? 16 Radia Perlman

Recommend

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01

Minimal IKEv2 AuthenTec Oy Tero Kivinen kivinen@iki.fi draft-kivinen-ipsecme-minimal-ikev2-01 What Problem Does This Document Solve Tries to educate implementors that IKEv2 is not complex and difficult to implement. Why Do People

363 views • 5 slides
IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly

IKEv2 with CGA Jean-Michel Combes jeanmichel.combes@orange.com Aurlien Wailly aurelien.wailly@orange.com Maryline Laurent Maryline.Laurent@it-sudparis.eu 2011-10-25 ICSNA 2011 1 Outline IPsec IKEv2 CGA IKEv2 with CGA?

744 views • 36 slides
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE ? Internet Key Exchange , part of IPsec Formal analysis of IKE Previously considered infeasible Using Scyther

410 views • 19 slides
Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk,

Privacy-Preserving Authenticated Key Exchange and the Case of IKEv2 Sven Schge, Jrg Schwenk, Sebastian Lauer Ruhr-University Bochum Classical Key Exchange Setting m1 Bob Alice m2 skA skB pkB pkA mq-1 mq derive K derive K 2

185 views • 18 slides
CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012

CGA as alternative security credentials with IKEv2: implementation and analysis SAR-SSI 2012 Orange Labs Jean-Michel Combes (France Telecom - Orange) Aurlien Wailly (France Telecom - Orange) Maryline Laurent (Telecom Sud Paris)

580 views • 26 slides
Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli

Use of IKEv2 and IPsec with Multiple CoA support MONAMI6 WG, IETF 68 Vijay Devarapalli (vijay.devarapalli@azairenet.com) Assumptions in RFC 3775, 3963 There is only one primary care-of address per mobile node The primary care-of

240 views • 7 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network

ilab 2 - IPSec with IKEv2 and Strongswan Lukas Grillmayer and Linus Lotz Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen June 4, 2014 Lukas Grillmayer and Linus Lotz: ilab 2 -

1.39k views • 51 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 SF park overview OVERVIEW PRESENTATION / 2 Coin and card meters OVERVIEW PRESENTATION / 3 Making garages work better OVERVIEW PRESENTATION / 4 User interface and customer experience OVERVIEW

1.3k views • 24 slides
OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF

OVERVIEW PRESENTATION / 1 OVERVIEW PRESENTATION / 1 Acknowledgements OVERVIEW PRESENTATION / 2 SF park overview OVERVIEW PRESENTATION / 3 Coin and card meters OVERVIEW PRESENTATION / 4 Improving the customer experience at garages OVERVIEW

567 views • 25 slides
GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin

National Taiwan University Department of Computer Science and Information Engineering GSM System Overview GSM System Overview GSM System Overview GSM System Overview Phone Lin Phone Lin Ph.D. Ph.D. Email: plin@csie.ntu.edu.tw Email:

686 views • 41 slides
i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW

LGE UNICAMP The m i c r o g u a r d s OVERVIEW The m i c r o g u a r d BIOFUELS s OVERVIEW The m i c r o g u a r d ETHANOL s OVERVIEW The m i c Ideal conditions r o g Costs-benefits u a r d

1.39k views • 59 slides
Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95#

Football First Aid: Football First Aid: An Overview An Overview Steven Richmond 95# Commissioner --BRYC Firefighter II, EMT-B, HTR & HZMT Tech City of Alexandria Fire and EMS Overview Overview Hyperthermia (Heat Related Injuries)

2.61k views • 31 slides
1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure

1 Corporate Overview Transaction 1 Corporate Overview Overview of Libre Group Structure Industry Business Model Hotels Overview Disclaimer This presentation does not constitute, or form any part of any offer for sale or subscription

808 views • 32 slides
HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview

HabaPalooza T EA M HYPERION COM M 362 A PRIL 29 T H 201 2 Overview Team Overview Project Overview Analysis Active Experimentation Question & Answer Team Overview Our Logo Our Tagline Our Mission Statement

1.09k views • 15 slides
Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four

Outbound Logistics Overview 1 Outbound Logistics Overview Outbound Overview Four Dedicated Outbound Carriers MPF Meijer Private Fleet 111 stores serviced in Michigan, northern Ohio, and Indiana. NTB Nationwide Truck

865 views • 15 slides
HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team

HabaPalooza T E A M H Y P E R I O N C O M M 3 6 2 A P R I L 2 9 TH 2 0 1 2 Overview Team Overview Project Overview Analysis Active Experimentation Question & Answer Team Overview Our Logo Our Tagline Our

934 views • 15 slides
An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese

An overview to Maltese An overview to Maltese An overview to Maltese An overview to Maltese Agriculture Agriculture Agriculture characteristics S mall holdings L imited resources and L and Fragmentation. 2 Maltese agriculture in figures

1.04k views • 15 slides
Library Conversations: Talking with Users University of Rochester Overview Overview Used

Library Conversations: Talking with Users University of Rochester Overview Overview Used

Rebecca Bichel December 7, 2007 Library Conversations: Talking with Users University of Rochester Overview Overview Used anthropological & ethnographic Overview Overview methods Guiding research question: What do students

941 views • 44 slides
.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries

.NET Overview Objectives Introduce .NET overview languages libraries development and execution model Examine simple C# program 2 .NET Overview .NET is a sweeping marketing term for a family of products

388 views • 23 slides
1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce

1 Overview Overview Regional demographic overview Regional demographic overview Workforce supply analysis Regional demand for workers i l d d f k Balancing supply and demand Reviewing key cluster trends Key challenges

533 views • 39 slides
EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a

EZ Overview EZ Overview The Rapid Development Platform p p Muse EZ is a registered trademark of Future Designs, Inc . 1 Overview What is EZ? EZ RTOS Engine EZ Four Tier Hierarchy Reusable HAL and Device

600 views • 32 slides

More recommend