Network Layer (Layer 3) VPNs

This section covers the following topics:

• Layer 3 tunneling

• Security associations and security policy for Internet Key Exchange (IKE) and IPSec

• Internet Security Association and Key Management Protocol (ISAKMP) and IPSec phases and modes

• Mutable and immutable fields and the Integrity Check Value (ICV)

• Fragmentation, path maximum transmission unit (MTU) discovery, and Internet Control Message Protocol (ICMP) processing

• IPSec modes

• IPSec protocols

• Authentication in VPN

Layer 3 Tunneling

Because of the abundance of available literature about Layer 3 tunneling, only a short description is provided in the following sections to cover the basics of the technology. A more in-depth analysis would require a separate book.

Layer 3 VPN technologies are designed to run at the network layer of the OSI model. Typically, these VPNs use the IP protocol as the network layer protocol, and they can include Layer 3 VPNs such as Multiprotocol Label Switching (MPLS) or IPSec, which is the IETF standard for encryption and encrypted tunnels. MPLS was covered earlier in this chapter. IPSec on Layer 3 is covered in the following sections.

RFC 2764 defines the framework for VPNs running across IP backbones. An IP tunnel operates as an overlay across the IP backbone, and the traffic sent through the tunnel is incomprehensible to the underlying IP backbone. In effect, the IP backbone is used as a link-layer technology, and the tunnel forms a point-to-point connection. Numerous IP tunneling mechanisms exist because Layer 3 tunneling is not a new technology. In fact, GRE with RFC 1701 has existed for a long time. Some protocols were initially not considered as tunneling protocols, such as IP/IP, GRE, and L2TP. Cisco first supported tunneling technology in Cisco IOS version 9.21, and provided IPSec support in Cisco IOS version 11.3(3)T and later versions.

Originally, IPSec was conceived as an extension for IPv4 with added security features. Now, IPSec is a framework of open standards for ensuring secure private communications over IP networks. It is based on an architecture model defined in RFC 2401, which covers the security features and architecture model for IPv4 and IPv6.^[6] Now, IPSec VPNs use the services defined within IPSec to ensure confidentiality, integrity, and authenticity of data communications across public networks.

Security Associations and Security Policy for IKE and IPSec

IPSec operates in a peer-to-peer relationship, rather than a client/server relationship. The security association (SA) is a convention (contract) between two parties that facilitates an IPSec-based conversation between two communicating parties. Each party (device, software client) must agree to the policies or rules of their conversation by negotiating these policies with their potential peer.

There are two types of SAs: ISAKMP SAs (also known as IKE SAs) and IPSec SAs (see RFC 2408 and 2409 for more details).

The IKE SA is bidirectional and provides a secure communication channel between the two parties that can negotiate further communications. The term bidirectional means that once established, either party can start Quick Mode, Informational, and New Group Mode exchanges. IKE SA is identified by the initiator's cookie, followed by the responder's cookie, and the role of each party in the Phase 1 exchange dictates what cookie is the initiator's. The cookie order established by the phase 1 exchange continues to identify the IKE SA, regardless of its direction. The main function of IKE is to establish and maintain the SAs. The following attributes are a minimal set that must be negotiated as part of the ISAKMP SA:

• Encryption algorithm

• Hash algorithm

• Authentication method

• Information about the group required to perform the Diffie-Hellman (DH) key agreement protocol

IKE provides negotiation, peer authentication, key management, and key exchange. IKE negotiates a contract between the two IPSec endpoints and the SA keeps track of all elements of the negotiation for a single IPSec session. After the successful negotiation, the active (valid) SA parameters are stored in the SA Database (SAD).

NOTE

To enable ISAKMP functionality, UDP port 500 must be open on the corporate firewalls.

The ISAKMP is strongly tied to policy management, which offers a different level of granularity. The ability to push or change policies on the user's CPE from the corporate concentrator is a major feature of the enterprise VPN design. The VPN 3000 Series Concentrator provides a configuration mode, which enables sending the remote user centrally controlled policies including Domain Name System (DNS), Windows Internet Naming Service (WINS), IP Address, and default domain name. This mode also provides functionality for save connection password, split tunneling, local LAN access control, remote access load balancing, centralized protection policy (firewall), personal firewall capability (are you there?), and software update notification.

The IPSec SA is unidirectional and is used for the actual communication between devices. Therefore, two-way communication between devices requires at least two IPSec SAs, one in each direction, because IPSec SA is a simplex data connection. For example, when a bidirectional TCP session exists between two systems, A and B, there is one SA from A to B and a separate SA from B to A. If both security protocols, Authentication Header (AH) and Encapsulating Security Payload (ESP), are applied to a unidirectional traffic stream, two SAs are created for the traffic stream.

NOTE

A SA is uniquely identified by an IP destination address, a security protocol (AH or ESP) identifier, and a unique security parameter index (SPI) value. A SPI is a 32-bit number assigned to the initiator of the SA request by the receiving IPSec endpoint. The SPIs for AH and ESP are not the same for a given traffic flow. The SPI value is a field in both the AH and ESP headers, and it identifies the appropriate SA for all the communications between the two end nodes. The three elements of a SA allow the receiving party to associate the received packet appropriately.

Negotiations of ISAKMP and IPSec Phases and Modes

SAs for both IKE and IPSec are negotiated by IKE over various phases and modes. The terms phases and modes denote the steps involved in establishing an IPSec connection. Key exchange and management is an important part of IPSec because of the number of keys that must be exchanged for parties to communicate securely.

Two methods of handling key exchange and management that are specified within IPSec include manual keying and IKE, which is based on ISAKMP/Oakley. IKE provides three modes for exchanging key information and setting up SAs: main, aggressive, and quick modes. The first two modes are phase 1 exchanges (main and aggressive), which set up the initial secure channelIKE SA. The other mode is the phase 2 exchange (quick), which negotiates IPSec SAs. When identity protection is not required, only the aggressive mode can be used to reduce the time required for negotiation.

In ISAKMP, phase 1 occurs when the two ISAKMP peers establish a secure, authenticated channel for communication. Main and aggressive modes each accomplish a phase 1 exchange, and are only related to phase 1. Phase 2 occurs when SAs are negotiated on behalf of services such as IPSec or other services that require key material or parameter negotiation. Quick mode accomplishes a phase 2 exchange and is used only in phase 2.

In IPSec, phase 1 IKE negotiates IPSec SAs. Two modes can be used for this phase: main mode is used in the vast majority of situations, and aggressive mode is used under some circumstances, given the particular configuration parameters between the two systems. The aggressive mode is typical for situations when authentication is not necessary, or was already performed earlier. (Cisco VPN Client 3.0.4 mainly uses aggressive mode). The user has no control over what mode is chosen; it is automatic and depends on the configuration parameters set up by both peers. In phase 2, IKE negotiates IPSec SAs and the exchange only uses quick mode.

The elements and functions of the IKE and IPSec negotiation, and the differences between modes are shown in Figure 19-10. (Some of the terms are discussed later.)

IPSec SAs terminate through deletion or by timing out. When the SAs terminate, the keys are discarded. When subsequent IPSec SAs are needed for flow, IKE performs a new phase 2 and, if necessary, a new phase 1 negotiation. A successful negotiation results in new SAs and new keys. New SAs can be established before the existing SAs expire, so a given flow can continue uninterrupted.

Mutable and Immutable Fields and the ICV

One of the services of IPSec is to provide access control and data integrity, so that no one can change any bits in the packet exchange between the two parties. The service, called connectionless data integrity, ensures that the original IP packet is not modified in transit from the source to the destination. However, any packet to be routed can undergo several transformations (changes to the content) to be delivered to the destination.

The ability to read the header of packets for routing purposes, while maintaining security of the data, is a controversy that is addressed by the calculation of the ICV. The ICV is a keyed hash that uses a shared secret value. The computation uses IP header fields that are either immutable in transit or that are predictable in value upon arrival at the endpoint for the SA. The upper-layer protocol data is assumed to be immutable in transit. For the purposes of this computation, the IP datagram fields are divided into three groups: immutable, mutable but predictable, and mutable.

Figure 19-11 shows the original IPv4 packet and the breakdown. The IP datagram is a variable-length packet that can be split into two major parts: the header (20-60 bytes), and the total size of 20-65,536 bytes. The header is designed in a way to provide the necessary information for delivery and routing.

Note the following about Figure 19-11:

• Version The first 4 bits are the version. The IPv4 uses 0100 in this field.

• Header length (HLEN) The value is provided to help calculate the length of the header because IP is a variable length. To determine the length, you must multiply by 4 because with 4 bits, a maximum of four 1s (15) can be coded. Therefore, 15 x 4 = 60 is the maximum HLEN.

• Type of service (TOS) Identifies how the datagram should be handled (normal delay, throughput, reliability). This field is mutable because some routers are known to change the value of this field, even though the IP specification does not consider TOS to be a mutable header field.

• Total length Specifies the length, in bytes, of the entire IP packet, including the data and header. It is a 2-byte field, which can code a maximum size of 2¹⁶ = 65,536 bytes.

• Identification This field is used for fragmentation. To pass large packets through networks with different MTUs, the packet must be fragmented. It identifies the sequence number.

• Flags This is a 3-bit field of which the low-order (least significant) 2 bits control fragmentation. The 3 bits are defined as follows:

  - Low-order bit specifies whether the packet can be fragmented.

  - Middle bit specifies whether the packet is the last fragment in a series of fragmented packets.

  - High-order bit is not used.

  The field is mutable because an intermediate router might set the Don't Fragment (DF) bit, even if the source did not select it.

• Fragmentation offset Provides the offset of the data in the original packet. The field is mutable because AH is applied only to non-fragmented IP packets; therefore, the Offset Field must always be 0 and is excluded (even though it is predictable).

• Time To Live (TTL) If the destination is not reached, it defines the number of hops/seconds that the packet can travel before being discarded. Every hop decrements the initial value by 1, so when the field contains 0 and the destination is not yet reached, the packet is discarded. The field is mutable because it changes due to the normal processing by routers, and therefore its value at the receiver end is not predictable by the sender.

• Protocol Contains information for the upper-layer protocols that are encapsulated in IP. For example, the protocol ID for UDP is 17, and for TCP, it is 6.

• Header checksum This 16-bit field checks the integrity of the header. It is a mutable field because it changes if any of the other fields change, and therefore, its value cannot be predicted by the sender.

• Source IP address This is a 32-bit IP address.

• Destination IP address This is a 32-bit IP address for the destination. It is mutable but predictable with loose or strict source routing.

• Options For IPv4 (unlike IPv6), there is no mechanism for tagging options as mutable in transit. As a result, the IPv4 options are explicitly listed and classified and the entire option is viewed as a unit. So, even though the type and length fields within most options are immutable in transit, if an option is classified as mutable, the entire option is zeroed for ICV computation purposes.

Fragmentation, Path MTU Discovery, and ICMP Processing

The fragmentation in VPN, path MTU discovery, and IPSec-related ICMP messages are discussed in detail in RFC 2401, "Security Architecture for the Internet Protocol." Some other studies, such as IETF MTU Discovery Working Group, and in particular RFC 1191, propose a technique for dynamically discovering the MTU of an arbitrary Internet path.

The fragmentation of the IP datagrams, if required, occurs after IPSec processing within an IPSec implementation. Thus, transport mode AH or ESP is applied only to entire IP datagrams (not to IP fragments). An IP packet to which AH or ESP has been applied can itself be fragmented by intermediate routers, but such fragments must be reassembled prior to IPSec processing at a receiver. In tunnel mode, AH or ESP is applied to an IP packet, the payload of which can be a fragmented IP packet.

Of course, the official minimum MTU (see RFC 791) can process the IP packets, but that would be wasting Internet resources in most cases. In fact, this results in the use of smaller datagrams than necessary because many paths have a Path MTU (PMTU) greater than 576. Furthermore, current practice does not prevent fragmentation in all cases because some path's PMTU is less than 576. These realities essentially emphasize the importance of the fragmentations and related MTU issues. The key suggestion here is that "when one IP host has a large amount of data to send to another host, the data is transmitted as a series of IP datagrams. It is usually preferable that these datagrams be of the largest size that does not require fragmentation anywhere along the path from the source to the destination. This datagram size is referred to as the Path MTU (PMTU), and it is equal to the minimum of the MTUs of each hop in the path. A shortcoming of the current Internet protocol suite is the lack of a standard mechanism for a host to discover the PMTU of an arbitrary path." ^[7]

The PMTU depends on the different modes and protocols applied to the remote access VPN solution because different protocols and modes add different overhead to the IP datagrams. See the section, "IPSec Protocols" for more details about IPSec protocols. For the purposes of this explanation, the general format of the datagrams in the tunnel mode, in terms of the TCP/IP stack, look similar to the following.

The AH datagram includes the following:

• IP2New (second) IP header

• AH header

• IP1Original IP header

• TCP header

• TCP data

The ESP datagram includes the following:

• IP2New (second) IP header

• ESP header

• IP1Original IP header

• TCP header

• TCP data

• ESP trailer

Information is provided in Chapter 4, "Troubleshooting Approaches, Models, and Tools," about using the ping utility and ICMP protocol to perform the reachibility test between two hops in the network. The same ICMP protocol can perform additional functionality about PMTU discovery. The term PMTU Discovery or ICMP PMTU refers to an ICMP message used for PMTU Discovery.

The suggested approach in RFC 1191 is based on the interaction between certain unused fields in the ICMP header and the maximum segment size (MSS) field of the TCP protocol. After the original IP datagram is encapsulated by any of the IPSec protocols, it changes its format. Also, when used with the ICMP protocol, the format changes in the following fashion:

• IP3 header (third header, which includes source and destination information)

• ICMP header (includes PMTU)

• IP2 header (second header, which includes source and destination information), where:

  - If the protocol is ESP, the minimum of 64 bits includes the security parameter index (SPI) (32 bits), and sequence number (32 bits).

  - If the protocol is AH, the minimum of 64 bits includes the next header (8 bits), payload len (8 bits), reserved (16 bits), and SPI (32 bits).

To make this possible, the ICMP protocol must include the MTU of that next-hop network in the low-order 16 bits of the ICMP header field that is labeled unused" in the ICMP specification. The high-order 16 bits remain unused, and must be set to 0. The format of the ICMP header is shown in Figure 19-12.

Another approach to the MTU discovery process is based on a simple suggestion that, regardless of the content of the IP datagram after the IPSec encapsulation (MD5-ESP-3DES), the ICMP overhead is always 28 bytes when it is used with ICMP: Type = 0 (Echo reply) and ICMP: Code = 0. For more explanations about approach and how to use it for troubleshooting, see the section, "Determining a Functional MTU Between the VPN Host and Concentrator," in Chapter 21, "Remote Access VPN Troubleshooting," and Case 4 of Chapter 22, "Remote Access VPN Troubleshooting Scenarios."

Both solutions provide successful solutions in most cases. However, they can become complicated if you consider some realities in the existing networks.

One reality is the blocking of ICMP messages from most providers, or enterprise firewalls. Another obstacle for implementation can be the existence of black hole routers. A black hole router does not return ICMP destination unreachable messages when it needs to fragment a TCP packet with the DF bit set. TCP depends on receiving these messages to perform PMTU Discovery. One possible approach here is to modify the TCP in a way that TCP tries to send segments without the DF bit set, if several retransmissions of a segment go unacknowledged. If the segment is acknowledged as a result, the MSS is decreased and the DF bit is set in future packets on the connection. Enabling black hole detection increases the maximum number of retransmissions performed for a given segment. It is disabled by default in Windows.

IPSec Modes

IPSec provides secure communication between two hosts, from a host to a security gateway, or between two security gateways. A security gateway is a device, such as a router, firewall, or a dedicated VPN concentrator, which provides IPSec services (that is, terminates the IPSec connection) and passes traffic through the tunnel to the other side. IPSec can operate in one of two modes to accommodate different types of connections: transport mode and tunnel mode.

With transport mode, the AH or ESP is placed after the original IP header, so only the IP payload is encrypted and the original IP headers are left intact. Transport mode can be used when both end hosts support IPSec. This mode has the advantage of adding only a few bytes to each packet and it also allows devices on the public network to see the final source and destination of the packet. This capability enables special processing (for example, quality of service) in the intermediate network, based on the information on the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet (see Figure 19-14 and Figure 19-17 later in this chapter).

With tunnel mode, the entire original IP packet is encapsulated within AH or ESP, and a new IP header is placed around it. So, the original IP datagram is encrypted and becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy that performs encryption on behalf of the host. The source's router encrypts packets and forwards them along the IPSec tunnel. The destination's router decrypts the original IP datagram and forwards it on to the destination system. Therefore, the new IP header has the source address of the gateway itself. With tunnel mode operating between two security gateways, the original source and destination addresses can be hidden through the use of encryption. Tunnel mode is used when one or both sides of the IPSec connection are a security gateway and the actual destination hosts behind it do not support IPSec (see Figure 19-15 and Figure 19-18 later in this chapter).

IPSec Protocols

In a TCP/IP environment, IPSec protocols offer security services at the network layer. These services include the following:

• Access control prevents unauthorized use of a resource, such as the network behind a security gateway (router, firewall).

• Authentication service includes the following:

  - Connectionless integrity, which detects any modification to data within individual IP packets, regardless of their position in a data stream.

  - Data origin authentication, which verifies the source of the data.

• Anti-replay protection (optional) occurs when the sender must increment the sequence number, and the receiver (if this option is chosen) must detect the arrival of the duplicate IP sequence packet number.

• Confidentiality protects data from unauthorized disclosure by using encryption. Limited traffic-flow confidentiality occurs by hiding the original source and destination addresses as part of the data when using ESP in tunnel mode.

Because both AH and ESP provide access control, the main decision to make when choosing security services is whether you need authentication or both authentication and encryption.

To give you a better feel for the issues surrounding IPSec protocols, the discussion is divided into the following topics:

• IP authentication header

• IP encapsulating security payload

IP Authentication Header and RFC 2402

The AH provides connectionless data integrity and data origin authentication as part of the authentication of IP packets.

Connectionless data integrity means that the original IP packet was not modified in transit from the source to the destination. AH provides authentication for as much of the IP header as possible, and for upper-level protocol data. However, some IP header fields can change in transit and the value of these fields might not be predictable by the sender, when the packet arrives at the receiver. The values of such fields cannot be protected by AH; therefore, the protection provided to the IP header by AH is not considered strong enough.

AH can be applied alone, in combination with the IP ESP, or in a nested fashion. Security services can be provided between a pair of communicating hosts, security gateways, or between a security gateway and a host. ESP can provide the same security services as AH, but it also provides a confidentiality (encryption) service. The AH header is shown in Figure 19-13.

NOTE

To ensure AH functionality, protocol 51 must be open in the corporate firewalls.

The AH is inserted into the IP packet between the IP header and the rest of the packet's contents. It contains a cryptographic checksum of the packet's contents, including the parts of the IP header itself that are immutable in transit.

Figure 19-14 shows the IP packet before and after applying the AH in transport mode.

Figure 19-15 shows the IP packet before and after applying the AH in tunnel mode.

The default cryptographic algorithms for calculating the checksum are hash-based message authentication code (HMAC) coupled with the Message Digest 5 (MD5) hash function, or HMAC coupled with the Secure Hash Algorithm (SHA-1) function. When taking a received message and calculating the same cryptographic checksum, then comparing it with the value received, the receiver can verify that the message has not been altered in transit.

Calculation of ICV in AH

The ICV calculation includes the following components of AH: next header, payload length, reserved, SPI, sequence number, authentication data (which is set to 0 for this computation), and explicit padding bytes (if any) (see Figure 19-13).

AH also provides a limited anti-replay service that counters a denial of service (DoS) attack, based on an attacker intercepting a series of packets and then replaying them. It should be noted that the anti-replay service can affect performance, if the network reorders packets to provide higher QoS for certain types of traffic. If the packets arrive outside the anti-replay window, IPSec rejects them. AH is not widely used for IPSec implementations across the Internet because it does nothing to keep the packet contents confidential. For confidentiality, ESP must be used.

IP ESP and RFC 2406

The ESP header is designed to provide a mix of security services in IPv4 and IPv6. ESP can be applied alone, in combination with AH, or in a nested fashion. Security services can be provided between a pair of communicating hosts, a pair of communicating security gateways, or a security gateway and a host. The ESP objectives reflect the ESP header format that is shown in Figure 19-16.

NOTE

To enable ESP functionality, protocol 50 must be open in the corporate firewalls.

ESP provides confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. The set of services enabled depends on the options selected at the time of SA establishment.

The ESP header is inserted after the IP header and before the upper-layer protocol header (in transport mode), or before an encapsulated IP header (in tunnel mode). Figure 19-17 shows how the IPv4 packet is modified in transport mode, and Figure 19-18 shows the IPv4 packet transformation in tunnel mode.

Confidentiality in ESP is achieved through encryption. Encryption is the process of taking a clear text message, and passing it through a mathematical algorithm to produce what is known as ciphertext. Decryption is the reverse process. Encryption algorithms typically rely on a value, called a key, to encrypt and decrypt the data.

Two major forms of encryption are used today: symmetric encryption (also known as shared-key encryption) and asymmetric encryption (know as public/private key encryption). Symmetric encryption is approximately 1000 times faster than asymmetric encryption, and is therefore used for the bulk encryption of data. Generally, with well-designed encryption algorithms, longer keys result in a higher degree of security because more brute force is required to try every possible key (known as the key space) to decrypt a message.

ESP supports a variety of symmetric encryption algorithms for data encryption. The Data Encryption Standard (DES) is the default algorithm that uses a 56-bit key and has been in use for about 20 years. However, DES has been susceptible to brute-force attacks, so Triple DES (3DES) is now the standard algorithm recommended for most business use because it encrypts the data three times with up to three different keys. ESP encrypts the higher-level protocol information (such as the TCP header) and the actual data itself. The authentication services of ESP do not protect the new IP header of the packet.

On May 26, 2002, the Advanced Encryption Standard (AES) became a finalized Federal Information Processing Standard (FIPS)-approved cryptographic algorithm for purposes of protecting transmissions of electronic data (see FIPS PUB 197). AES is a new, faster, and more secure standard encryption algorithm, and it is being considered by Cisco for future two-phase implementations. The first phase includes the software (IOS) version and the second phase includes the hardware version. AES is expected to be considered as a baseline functionality in mid 2002 and early 2003, and VPN solutions and devices without high-speed AES support will not be considered for many VPN deployments.

The underlying algorithm for AES is called Rijndael. AES specifies three key sizes: 128, 192, and 256 bits. In decimal terms, this indicates that there are approximately the following:

• 3.4 x 10³⁸ possible 128-bit keys

• 6.2 x 10⁵⁷ possible 192-bit keys

• 1.1 x 10⁷⁷ possible 256-bit keys

In comparison, DES keys are 56-bits long, which indicates that there are approximately 7.2 x 10¹⁶ possible DES keys. Hence, there are on the order of 10²¹ times more AES 128-bit keys than DES 56-bit keys. For more information, see the article, "AES an Approved Cryptographic Algorithm" (Cisco Packet Magazine, Q3 2002; also available at www.cisco.com/warp/public/784/packet/standards.html).

NOTE

In the late 1990s, specialized DES Cracker machines were built that could recover a DES key after a few hours. Assuming that someone could build a machine that could recover a DES key in a second (that is, try 2⁵⁵ keys per second), it would take that machine approximately 149 trillion years to crack a 128-bit AES key. To put this in perspective, the universe is believed to be less than 20 billion years old.

The anti-replay service can be used only if data origin authentication is selected, and its election is solely at the discretion of the receiver. However the default requires the sender to increment the sequence number used for anti-replay, and the service is effective only if the receiver checks the sequence number. Traffic flow confidentiality requires the selection of tunnel mode, and it is most effective if implemented at a security gateway, where traffic aggregation can mask true source-destination patterns. Although both confidentiality and authentication are optional, at least one must be selected. Most IPSec VPN implementations today use ESP.

Calculation of ICV in ESP

If authentication is selected for the SA, the ICV calculation includes the following components: SPI, sequence number, payload data, padding (if present), pad length, and next header. In general, the sender computes the ICV over the ESP packet, except for the authentication data. The last four fields are in ciphertext form because encryption is performed prior to authentication.

Authentication in VPN

Authentication in VPN has several aspects that include the following:

• Client authentication, VPN group name, and group password

• User/identity authentication

• Key management, DH algorithm, and methodology

• Cisco and IPSec message authentication (integrity) and confidentiality

The text discusses each in turn.

Client Authentication, VPN Group Name, and Group Password

The group name and group password approach simplifies policy enforcement because a user can be a member of a group of users who have common policy requirements. For example, a single change can be made to a group that affects hundreds of users versus making changes for every single user. Groups and users are core components in managing the security of VPNs, and in configuring the Cisco VPN 3000 Concentrator. They have attributes that determine their access to and use of the VPN. Users are members of groups and groups are members of the base group. Users inherit attributes from groups and groups inherit attributes from the base group. The VPN client can be configured with an active group name and group password to provide a user prompt, and be authenticated by a RADIUS server if the Group Lock feature on the concentrator is turned on.

Groups simplify system management. By configuring the base group first, then specific groups, and finally users as members of groups, you can quickly manage access and usage rights for large numbers of users. Associating users with specific groups simplifies the configuration of the VPN, while providing granular control over who has access to certain resources. When configuring groups and users, only the attributes that differ from those defined in the base group need to be defined and all other attributes are inherited from the base group.

The group name and group password for VPN users are stored locally on the concentrator or server. When the client tries to connect to the concentrator, it has to provide the same group name and password to be recognized as an eligible user. After a successful negotiation, a typical message from the log of both peers is Peer Is a Cisco Unity Compliant Peer, which indicates a successful group name and password authentication.

Another important feature allows the VPN administrator to group different user requirements into different client groups. For example, some users have Network Address Translation (NAT) configured within their home LAN, so that when they connect to the concentrator, it must recognize that the user is NATing and adjust. The concentrator can determine if the user is NATing or not based on the group name and password they used to connect.

User/Identity Authentication

One of the basic functions for key exchange is to ensure that the exchange occurs between trusted sources. This requires user identity verification and it is related to the non-repudiation feature, which prevents a communicating party from later denying having participated. User identity requires proof of identity of the sender and it is based on digital signatures and authentication mechanisms. The Cisco VPN Client (Unity) supports the following digital certificates:

• Simple Certificate Enrollment Protocol (SCEP) and certificates enrolled with Microsoft Internet Explorer.

• Supported certification authorities (CAs) that include Entrust, GTE Cybertrust, Netscape, Baltimore, RSA, Keon, Verisign, and Microsoft.

• Entrust Intelligence Client support.

• Smartcards are supported through MS CAPI (CRYPT_NOHASHOID), and include Activcard (Schlumberger cards), eAladdin, and Gemplus.

Supported authentication mechanisms are as follows:

• RADIUS with support for the following:

  - State/Reply Message attributes (token cards)

  - Security dynamics (RSA SecurID Ready)

  - Microsoft NT domain authentication

  - MSCHAPv2NT password expiration

  - X.509v3 digital certificates

• Extended Authentication (XAUTH) within IKE provides user authentication of IPSec tunnels within the IKE protocol. XAUTH prompts the user for authentication material (user name + password), and verifies this information through the use of a TACACS+/RADIUS authentication, authorization, and accounting (AAA) server. User authentication occurs between IKE phase 1 and phase 2. If the user successfully authenticates, establishment of the phase 2 SA (IPSec SA) allows the remote user's data to be sent securely to the private network. If the user fails to authenticate, no phase 2 SA is established and the user is not able to send data.

External User AuthenticationRADIUS

Individual user authentication information, such as user name and password, can be stored locally, which is more appropriate for small installations. Larger installations must use RADIUS or Terminal Access Controller Access Control System Plus (TACACS+), with an external database capable of supporting a large number of remote users. Larger sites with thousands of users are only limited or restricted by the authentication, authorization, and accounting (AAA) server's capacity.

NOTE

The RADIUS server is based on a protocol for AAA that was developed by Livingston Enterprises, Inc. (see RFC 2866). Cisco has incorporated the RADIUS client into Cisco IOS 11.1.

TACACS was introduced with Cisco products and has been in use for many years. The extension of the original TACACS was commonly called Extended TACACS or XTACACS, and was introduced in 1990. Both are documented in RFC 1492. The third is TACACS+, which despite the name, is a completely new protocol and is not compatible with TACACS or XTACACS.

RADIUS is the main choice for external user authentication in existing VPNs. It is composed of a protocol with a frame format that uses UDP/IP, a server, and a client.

The RADIUS server runs on a central computer, usually at the customer's site, and the clients reside in the access servers that can be distributed throughout the network. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process, which runs on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers, and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and return the configuration information necessary for the client to deliver service to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Packet Encryption

RADIUS only encrypts the password in the access-request packet from the client to the server. The remainder of the packet is in clear text. Information other than the encrypted password, such as username, authorized services, and accounting, can be intercepted by a third party. RADIUS can use encrypted passwords by using UNIX /etc/passwd file; however, this process is slow because of the time consuming linear file searches.

Authentication and Authorization

RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contains authorization information, which makes it difficult to separate authentication from authorization.

NOTE

Starting with release 3.0 of the VPN 3000 Concentrator, you can use TACACS+ for administrative authentication. After configuring TACACS+, ensure that you test authentication before logging out. An incorrect configuration of TACACS+ can lock you out, and require a console port login to disable TACACS+ and rectify the problem.

VPN and RADIUS

VPN uses server authentication that is similar to a dialup environment. The client passes user information to designated RADIUS servers, and acts on the response that is returned. The RADIUS server receives user connection requests, authenticates the user, and returns the configuration information necessary for the client to deliver service to the user (see Figure 19-19).

The following summarizes the process:

1. The user starts an IPSec tunnel to the VPN concentrator by using the VPN client.

2. The VPN concentrator prompts for username and password.

3. The user replies.

4. The RADIUS client sends a username and encrypted password to the RADIUS server.

5. The RADIUS server responds with Accept, Reject, or Challenge.

6. The RADIUS client acts upon services and service parameters that are bundled with Accept or Reject.

Every authentication method deserves special attention, which exceeds the objectives of this book. However, the XAUTH within IKE is extensively used by Cisco VPN solutions, and deserves more attention here.

XAUTH

IKE enables a device to set up a secure session by using a bidirectional authentication method, which uses either preshared keys or digital certificates. However, IKE does not provide a method to leverage legacy authentication methods that are widely deployed today. XAUTH is not designed to replace or enhance existing authentication mechanisms, but rather to enable them to be extended by using legacy unidirectional authentication mechanisms such as RADIUS, SecurID, and one-time password (OTP) within IPSec's ISAKMP protocol.^[8]

This XAUTH protocol is designed so that the authentication can be accomplished by using any mode of operation for phase 1 (such as main mode or aggressive mode), and as any authentication method supported by IKE. This protocol can also be easily extended to support new modes of authentication methods, but it does require that the phase 1 authentication method be fully secure. XAUTH adds a vendor ID that must be authenticated whenever possible. The vendor ID for this revision of XAUTH is the following 8 bytes:

Vendor ID = 0x09002689DFD6B712

XAUTH provides a mechanism for five basic types of authentication:

• Simple authentication

• Challenge-response authentication

• Two-factor authentication

• OTPs

• User previously authenticated

An example of an authentication mechanism, where the user password is hidden by an encryption mechanism, follows (see Figure 19-20).

Designed for future use, XAUTH supports the following authentication types: 0Generic, 1-RADIUS-CHAP, 2-OTP, and 3-S/Key. Types 4-32767 are reserved for future use, and types 32768-65545 are reserved for private use.

Key Management, DH Algorithm, and Methodology

Confidentiality services can be selected independent of other services. However, use of confidentiality without integrity/authentication (either in ESP or separately in AH), might subject traffic to certain forms of active attacks that can undermine the confidentiality service. Therefore, authentication is offered as an option in conjunction with confidentiality. RFC 2401 defines two methods of authentication and key management: manual keying, and automated keying through IKE. Valid authentication methods include the following:

• Preshared keys

• Digital signature standard (DSS) signatures

• RSA signatures

• Encryption with RSA

• Revised encryption with RSA

A DH exponential algorithm generates a strong initial key.

NOTE

The Diffie-Hellman key agreement protocol (also called an exponential key agreement) was developed by Whitfield Diffie and Martin Hellman in 1976, and was published in New Directions in Cryptography. The protocol enables two users to exchange a secret key over an insecure medium without any prior secrets.

Before IKE proceeds, the parties must agree on how to authenticate themselves to each other. This authentication method is negotiated during the IKE phase main mode exchange. The following mechanisms are in use today:

• Preshared keys that involve the manual installation of the same key on each peer.

• Encrypted nonces that generate an asymmetric encryption public/private key pair for each peer, then manually copy the public key of each peer to every other peer.

• Digital certificates are issued by a trusted third party, called a CA, to validate the authenticity of each peer and to offer the added benefit of non-repudiation, so a peer can verify that a communication actually took place.

When remote access clients are involved, a second level of user authentication occurs after device authentication, which occurs through the IKE SA. The headend starts an XAUTH request to the remote user, which prompts for the username-password/passcode pair.^[9] After authentication is completed in the first phase, the second phase connects the remote and local networks.

The DH algorithm is still considered the strongest by the cryptographic society. In the DH key agreement, the two parties, without any prior arrangements, can agree upon a secret key that is known only to them (often called a shared secret or a key encryption key). This secret key can then encrypt further communications between the parties. The shared secret encrypts the symmetric key (or data encryption keysuch as DES, Triple DES, CAST, International Data Encryption Algorithm [IDEA], or Blowfish) for secure transmission.

Asymmetric key systems use two keys: the private key, which the user keeps secret, and the public key, which can be shared with the world. Unfortunately, the asymmetric key calculation is extremely slow. Today, it is a typical practice to use a symmetric system to encrypt the data, and an asymmetric system to encrypt the symmetric keys. This is how you use DH.

The basis for the DH algorithm is the difficulty of calculating logs in modular arithmetic (see the following Note). The process begins when each side of the communication generates a private key. Each side then generates a public key, which is a derivative of the private key. The two systems then exchange their public keys, so that each side of the communication now has its own private key and the other system's public key. Because of the complexity of the algorithm, its explanation goes beyond the scope of this book. The methodology of the DH algorithm can be found in the article "IPSec-Based VPNs and Related Algorithms," by P. Nedeltchev and R. Ratchkov (Cisco Packet Magazine, Q2 2002; and at www.cisco.com/warp/public/784/packet/apr02/pdfs/plamen.pdf).

NOTE

The expression x = y (mod m) reads as "x is equivalent to y, modulo m." The statement a + kp = a (mod p) should be fairly obvious. The Chinese Remainder Theorem states that x = y (mod p) and x = y (mod q) is the same as x = y (mod pq), if p and q are coprimes. The Fermat/Euler Theorem rules that if p is prime, x^p 1 = 1 (mod p). RSA correctness rules that if d and e are generated in a way that de = k(p 1)(q 1) + 1, and k is an integer, the encryption/decryption process can be written as x^ed % pq. ^[10]

The cost of some methods for computing discrete logarithms depends on the length of the prime, and the cost of others depends on the length of the private value. The intention of selecting a private-value length is to reduce the computation time for key agreement, while maintaining a given level of security. The time to execute the algorithm by software is proportional to D³, where D is the number of bits of p. Therefore, increasing from 200 to 800 bits raises the complexity by a factor of 64.

The length of the primes that defined DH-Groups, or Oakley Default Groups, are as follows:

Group 1 Default 768-bit (300h)

Group 2 Alternate 1024-bit (400h)recommended

Group 3 EC2N group on GP[2¹⁵⁵]

Group 4 EC2N group on GP[2¹⁸⁵]

Group 5 Prime length 1536 bits (600h)

NOTE

The Cisco VPN 3000 Concentrator uses DH group 7 as well. The DH group 7 generates IPSec SA keys that are based on an elliptical curve field (ECC) size of 163 bits. You can use this option with any encryption algorithm and any peer that supports ECC group 7, but it is intended for use with the movianVPN (wireless) client.

The DH key exchange is vulnerable to a man-in-the-middle (MIM) attack because it does not authenticate the participants. The attack consists of someone intercepting both public keys and forwarding bogus public keys of their own. The MIM can potentially intercept encrypted traffic, decrypt it, copy or modify it, re-encrypt it with the bogus key, and forward it on to its destination. If successful, the parties on each end have no idea that there was an unauthorized intermediary. The authenticated DH key agreement protocol, or Station-to-Station (STS) protocol, was developed by Diffie, van Oorschot, and Wiener in 1992, to defeat the MIM attack on the DH key agreement protocol.^[11] Immunity is achieved by allowing the two parties to authenticate themselves to each other through the use of digital signatures and public-key certificates.

NOTE

The MIM is addressed in ISAKMP (see RFC 2408), where not only MIM, but two other types of ISAKMP protection, including anti-clogging (DOS) and connection hijacking are addressed.

The longer that a symmetric key is in use, the easier it is to perform a successful crypto-analytic attack against it. Therefore, changing keys frequently is important. Both sides of the communication still have the shared secret and it can be used to encrypt future keys at any time and for any frequency desired.

RFC 2401 defines perfect forward secrecy (PFS), where a shared secret encryption key refresh involves combining the current key with a random number to create a new key. PFS enforces the recalculation of the shared secret key from scratch by using the public and private key generation and DH techniques. It recalculates to avoid the situation where a hacker might have derived a particular secret key. PFS allows a new key to be calculated that has no relationship to the preceding key.

The PFS is closely related to SA Lifetime, where an SA Lifetime determines the period of time that a security association is valid. It also determines how often a key is refreshed or recalculated. A lifetime can be measured in seconds or kilobytes and is applied to both the IKE SA and IPSec SAs.

Cisco and IPSec Message Authentication (Integrity) and Confidentiality

IPSec provides numerous security features that are based on a family of algorithms, which perform transformations over different fields of packets. The content transformation of the packet is governed by HMAC, as defined by RFC 2104. As previously mentioned, it is based on a secret key that is available to both parties and the key material generation precedes the packet content transformation. Codes based on cryptographic hash functions are called HMAC. RFC 2104 defines HMAC as the following:

H (K xor opad, H (K xor ipad, text))

H Denotes a cryptographic hash function

K Denotes a secret key

text The input text stream

HMAC can use any cryptographic hash function, such as MD5 and SHA-1, and it is at least as strong as the hash function it uses. This also allows for easy cryptographic analysis of the HMAC, where only the underlying hash function is analyzed. Assuming that H is a cryptographic hash function that iterates over a block of data, with byte length B for each block, ipad and opad are fixed length strings that are defined as follows:

ipad = 0x36 repeated B times

opad = 0x5C repeated B times

The enterprise can define the policy and implement a high level of granularity by using different algorithms. The algorithm's parameters are configurable and include type of data encryption, device authentication and credentials, data integrity, address hiding, and SA key aging. The IPSec standard requires the use of either data integrity or data encryption, and using both is optional. Cisco highly recommends using both encryption and integritysee the site www.cisco.com/go/safe. Do not use hash functions for encryption. Cisco recommends the use of 3DES for data encryption, and either MD5 or SHA-1 for data integrity (message authentication).

Because of the greater bit strength of SHA-1, it is considered more secure. Cisco recommends the use of SHA-1 mainly for S2S VPNs because the increased security outweighs the slight increase in processor overhead (in fact, SHA-1 is sometimes faster than MD5 in certain hardware implementations).^[12]

Both IPSec phases offer the ability to change the lifetime of the SA. You might consider changing the lifetime from the default setting, when the sensitivity of the tunneled data demands replacing the encryption keys and re-authenticating each device on a more aggressive basis. For more information about transformation, hashing, and encryption techniques, see the IPSec family of standards that recommends certain mandatory choices, which are called conformance requirements. The valid choices, supported and recommended by Cisco, are documented in Table 19-2.

In conclusion, Cisco announced major new capabilities in March 2002, for a Unified VPN (UVPN) suite of protocols that will increase service provider reach, and allow enterprises greater choices and flexibility. A first in the industry, UVPN was introduced with complete support for Layer 2 and Layer 3 VPN technologies. The second phase of Unified VPN Suite will support Multiprotocol Label Switching/Border Gateway Protocol based (MPLS/BGP) VPNs, IPSec, and generic routing encapsulation (GRE). It will integrate Layer 2 access VPNs and simplify deployment. As the latest addition to Cisco IOS Software, L2TP version 3 appears to offer a promising path to efficiently deliver Layer 2 services. One of the features in the UVPN is Cisco's EasyVPN, which is discussed in detail in the following chapters.