2. Agenda
• What is IPsec
• IPsec Protocols
• IPsec Flow
• IPsec Tunnel
• IPsec in IMS
2
3. What is IPsec
• IPsec is a set of security protocols and algorithms used to
secure IP data at the network layer.
• IPsec provides:
– Data confidentiality (encryption and adding ESP header), integrity
(hash), and authentication (signatures, certificates) of IP packets while
maintaining the ability to route them through existing IP networks.
• Consists of:
– ESP (and historically AH) for protecting traffic
– Separate key exchange protocol (IKE)
– Separate authentication protocol in IKEv2
3
5. IPsec involves some main components:
• Security Protocols: The IP datagram protection mechanisms,
– The authentication header (AH) signs IP packets and ensures integrity
but the content of the datagram is not encrypted though.
– The encapsulating security payload (ESP) encrypts IP data, thus
obscuring the content during packet transmission.
– ESP also can ensure data integrity through an authentication algorithm
option.
5
What is IPsec (Cont.)
6. • Security Associations Database (SADB):
– The database that associates a security protocol with an IP destination
address and an indexing number (eq to SA).
– The indexing number is called the Security Parameter Index (SPI).
– These three elements (the security protocol, the destination address,
and the SPI) uniquely identify a legitimate IPsec packet.
– The database ensures that a protected packet that arrives to the packet
destination is recognized by the receiver.
– The receiver also uses information from the database to decrypt the
communication, verify that the packets are unchanged, reassemble the
packets, and deliver the packets to their ultimate destination.
6
What is IPsec (Cont.)
7. • Key Management: The generation and distribution of keys for the
cryptographic algorithms and for the SPI.
• Security Mechanisms: The authentication and encryption algorithms that
protect the data in the IP datagrams.
• Security Policy Database (SPD):
– The database that specifies the level of protection to apply to a packet.
– The SPD filters IP traffic to determine how the packets should be processed.
– A packet can be discarded. A packet can be passed in the clear. Or, a packet
can be protected with IPsec. For outbound packets, the SPD and the SADB
determine what level of protection to apply.
– For inbound packets, the SPD helps to determine if the level of protection on
the packet is acceptable. If the packet is protected by IPsec, the SPD is
consulted after the packet has been decrypted and has been verified.
7
What is IPsec (Cont.)
8. • Internet Key Exchange (IKE):
– Used to transfer SA parameters between hosts
– Handles negotiation of protocols
– Generates keys
8
IPsec Protocols
9. – ISAKMP defines procedures and packet formats to establish,
negotiate, modify and delete Security Associations (SA).
– SAs contain all the information required for execution of various
network security services, such as the IP layer services (such as header
authentication and payload encapsulation), transport or application
layer services, or self-protection of negotiation traffic.
– ISAKMP defines payloads for exchanging key generation and
authentication data. These formats provide a consistent framework for
transferring key and authentication data which is independent of the
key generation technique, encryption algorithm and authentication
mechanism.
IPsec ISAKMP: Internet Security Association and Key
Management Protocol
9
IPsec Protocols (Cont.)
10. • Authentication Header(AH):
– Host and Client Authentication
– Provides Data Integrity
– Protects from Anti-Replay Attacks
• Encapsulating Security Payload (ESP):
– Same as AH but also support data encryption and NAT
– Encrypts data (either TCP/UDP payload for transport mode, or IP packet for
tunnel mode)
– Adds an ESP header with an “Security Parameter Index” (SPI) and sequence
number
– Adds an ESP trailer which contains the “original protocol” of the data that was
encrypted.
10
IPsec Protocols (Cont.)
11. IPsec Transport vs Tunnel mode:
• IPsec Transport mode: ESP/AH transforms apply to L4 (TCP or UDP) header
and payload.
– Protects L4 header
– L3/routing information is not modified
– Typically used for host-host IPsec
• IPsec Tunnel mode: IP packet is encapsulated inside another IP packet. The
IPsec transforms are applied to the inner (original) IP packet.
– Protects IP and TCP header of the original packet
– Typically used for VPNs
– Routing information MAY be modified
11
IPsec Modes
16. • To establish an IPsec tunnel, we use IKE (Internet Key Exchange).
• There are two phases to build an IPsec tunnel:
– IKE phase 1
– IKE phase 2
• In IKE phase 1, two peers will negotiate about SAs.
• In this phase, an ISAKMP session is established. This is also called the
ISAKMP tunnel or IKE phase 1 tunnel.
• The IKE phase 1 tunnel is only used for management traffic. We use this
tunnel as a secure method to establish the second tunnel called the IKE
phase 2 tunnel or IPsec tunnel.
16
IPsec Tunnel
17. 17
IKE Phase 1
Step 1 : Negotiation
• The two peers will negotiate about the following items:
– Hashing: we use a hashing algorithm to verify the integrity, we use MD5 or SHA for this.
– Authentication: each peer has to prove who he is. Two commonly used options are a pre-shared key or
digital certificates.
– DH (Diffie Hellman) group: the DH group determines the strength of the key that is used in the key exchange
process. The higher group numbers are more secure but take longer to compute.
– Lifetime: how long does the IKE phase 1 tunnel stand up? the shorter the lifetime, the more secure it is
because rebuilding it means we will also use new keying material. Each vendor uses a different lifetime, a
common default value is 86400 seconds (1 day).
– Encryption: what algorithm do we use for encryption? For example, DES, 3DES or AES.
Step 2: DH Key Exchange
• Once the negotiation has succeeded, the two peers will know what policy to use.
• They will now use the DH group that they negotiated to exchange keying material.
• The end result will be that both peers will have a shared key.
Step 3: Authentication
• The last step is that the two peers will authenticate each other using the authentication method that they agreed
upon on in the negotiation.
• When the authentication is successful, we have completed IKE phase 1.
• The end result is a IKE phase 1 tunnel (aka ISAKMP tunnel) which is bidirectional.
• This means that both peers can send and receive on this tunnel.
18. 18
IKE Phase 2
Like in IKE phase 1, our peers will negotiate about a number of items:
• IPsec Protocol: do we use AH or ESP?
• Encapsulation Mode: transport or tunnel mode?
• Encryption: what encryption algorithm do we use? DES, 3DES or AES?
• Authentication: what authentication algorithm do we use? MD5 or SHA?
• Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to
expire, we will refresh the keying material.
19. 19
IPsec in IMS
• The scheme for authentication and key agreement in the IMS is called IMS AKA.
• Authentication vector AV includes RAND, XRES, CK, IK and AUTN.
• Two pairs of security associations (SAs) are established between the UE and the P-
CSCF.
20. 20
IPsec in IMS (Cont.)
• CM1: Cx-AV-Req(IMPI, m)
• CM2: Cx-AV-Req-Resp(IMPI,
RAND1||AUTN1||XRES1||CK1||IK1,….,RANDn||AUTNn||XRESn||CKn||IKn)
• SM4: 4xx Auth_Challenge(IMPI, RAND, AUTN, IK, CK)
• SM6: 4xx Auth_Challenge(IMPI, RAND, AUTN)
– Upon receiving the challenge, SM6, the UE takes the AUTN, which includes a MAC and the SQN. The
UE calculates the XMAC and checks that XMAC=MAC and that the SQN is in the correct range as in TS
33.102 [1]. If both these checks are successful the UE uses RES and some other parameters to
calculate an authentication response.
• SM7:REGISTER(IMPI, Authentication response)
• Upon receiving SM9 containing the response, the S-CSCF retrieves the active XRES
for that user and uses this to check the authentication response sent by the UE
21. 21
IPsec in IMS (Cont.)
• IPsec ESP as specified in RFC 2406 [13] shall provide confidentiality protection of
SIP signalling between the UE and the P-CSCF, protecting all SIP signalling
messages at the IP level.
• The SA parameters that shall be negotiated between UE and P-CSCF in the security
mode set-up procedure are:
• Encryption algorithm:
– The encryption algorithm is either DES-EDE3-CBC as specified in RFC 2451 [20] or AES-
CBC as specified in RFC 3602 [22] with 128 bit key.
– Both encryption algorithms shall be supported by both, the UE and the P-CSCF.
• Integrity algorithm
– The integrity algorithm is either HMAC-MD5-96 [15] or HMAC-SHA-1-96 [16].
– Both integrity algorithms shall be supported by both, the UE and the P-CSCF as
mandated by RFC 2406 [13].
22. 22
IPsec in IMS (Cont.)
• SPI (Security Parameter Index):
– The SPI is allocated locally for inbound SAs. The triple (SPI, destination IP address,
security protocol) uniquely identifies an SA at the IP layer.
– The UE shall select the SPIs uniquely, and different from any SPIs that might be used in
any existing SAs (i.e. inbound and outbound SAs).
– The SPIs selected by the P-CSCF shall be different than the SPIs sent by the UE.
– In an authenticated registration, the UE and the P-CSCF each select two SPIs, not yet
associated with existing inbound SAs, for the new inbound security associations at the
UE and the P-CSCF respectively.
23. 23
IPsec in IMS (Cont.)
• The P-CSCF associates two ports, called port_ps and port_pc, with each pair of security
assocations established in an authenticated registration.
• The number of the ports port_ps and port_pc are communicated to the UE during the
security mode set-up procedure.
• The UE associates two ports, called port_us and port_uc, with each pair of security
assocations established in an authenticated registration.
• For each unidirectional SA which has been established and has not expired, the SIP
application at the P-CSCF stores at least the following data: (UE_IP_address,
UE_protected_port, P-CSCF_protected_port, SPI, IMPI, IMPU1, ... , IMPUn, lifetime) in an
"SA_table". The pair (UE_protected_port, P-CSCF_protected_port) equals either (port_uc,
port_ps) or (port_us, port_pc).
• UE stores at least the following data: (UE_protected_port, P-CSCF_protected_port, SPI,
lifetime) in an "SA_table". The pair (UE_protected_port, P-CSCF_protected_port) equals
either (port_uc, port_ps) or (port_us, port_pc).
25. 25
Set-up of security associations (Cont.)
• SM1: REGISTER (Security-setup = SPI_U, Port_U, UE integrity and encryption algorithms list)
– SPI_U is the symbolic name of a pair of SPI values (spi_uc, spi_us) that the UE
selects.
– spi_uc is the SPI of the inbound SA at UE’s the protected client port, and
spi_us is the SPI of the inbound SA at the UE’s protected server port.
– Port_U is the symbolic name of a pair of port numbers (port_uc, port_us)
• SM6: 4xx Auth_Challenge (Security-setup = SPI_P, Port_P, P-CSCF integrity and encryption
algorithms list)
– SPI_P is the symbolic name of the pair of SPI values (spi_pc, spi_ps) that the P-
CSCF selects. spi_pc is the SPI of the inbound SA at the P-CSCF’s protected
client port, and spi_ps is the SPI of the inbound SA at the P-CSCF’s protected
server port.
– Port_P is the symbolic name of the port numbers (port_pc, port_ps)