The IPSec (Internet Protocol Security) mechanism offers security services (authentication, integrity and confidentiality) in an identical way in IPv4 and IPv6. Their implementation is optional in IPv4 but mandatory in IPv6. Their use is optional.
Security services are offered through the use of AH (Authentication Header) or ESP (Encapsulating Security Payload) extensions of the IPv4 or IPv6 header.
To secure a two-directional communication between two end points, a security association (SA) pair is required. The IKEv2 (Internet Key Exchange version 2) protocol dynamically ensures the creation of the security association.
A security association contains the following parameters:
The IPSec mechanism defines the following three databases:
The selector is the mechanism enabling identification at the source of the security association to be applied to traffic. The selector uses the following fields:
For an outgoing packet, the selector consults the SPD that defines the process to be applied to the packet:
The deletion of a packet causes the generation from the security gateway toward the source of an ICMP message with the following characteristics:
The security parameter index (SPI) is a field in the AH or ESP header used by the destination to identify the security association in a unique way. The destination uses this index to extract the security association parameters from the SAD.
For an incoming packet, the SPD is consulted if the packet is not protected, and the instruction (BYPASS or DISCARD) is applied. If the IP packet is protected, then the SPI field is used to recover the parameter of the security association.
The IPSec mechanism introduces two IPv4 or IPv6 header extensions:
The presence of the AH extension is indicated by the Next Header (in IPv6) or Protocol (in IPv4) field of the previous header, with a value of 51.
The AH extension contains the following fields (Figure 7.1).
Next Header: this field, coded on one byte, indicates the type of header following the ESP extension.
Payload Length: this field, coded on 1 byte, provides the extension size in multiples of four bytes, not including the first eight bytes. The size of the extension in IPv6 must remain a multiple of eight bytes.
Security parameters index (SPI): this field, coded on four bytes, contains a value pertaining to the previously negotiated security association.
Sequence Number: this field, coded on four bytes, contains a value increased by one unit for each IPv4 or IPv6 packet transmitted. This field enables protection against replay. This field has a value of 1 for the first packet transmitted. When the counter reaches the maximum value, a new security association must be negotiated in order to avoid the start of a new cycle.
An extended sequence number (ESN), coded on eight bytes, constitutes an option, making it possible for the lifetime of the security association to be prolonged. In order to preserve the structure of the extension, the 32 least significant bits are transmitted in the sequence number field. However, the seal is calculated on all 64 bits.
Integrity check value (ICV): this field is coded on a multiple of four bytes and contains the seal of the data, ensuring authentication and integrity checking.
The presence of the ESP extension (Figure 7.2) is indicated by the Next Header (in IPv6) or Protocol (in IPv4) field of the previous header, with a value of 50.
The ESP extension contains the same fields as the AH extension. It starts with the SPI and Sequence Number fields. After these fields come the encapsulated data, which may contain synchronization data (initialization vector) of the encryptor. Following the encapsulated data, the extension ends with the following fields: Padding, Pad, Length, Next Header and optionally ICV (authentication, data).
The Padding field is necessary when block encryption is used, and the block must be of a certain size, to align the packet size with a multiple of four bytes.
For transport mode, the AH or ESP header is inserted between the IP header and the source IP packet payload. In the IPv6 environment, the AH or ESP header appears after the Hop-by-Hop, Destination, Routing and Fragment extensions.
For tunnel mode, the AH or ESP header encapsulates the source IP packet, and the whole is encapsulated in its turn by a new IP header. The tunnel corresponds to a data structure, in which an IP packet contains another IP packet.
When the AH header is used, authentication is applied to the whole packet except for the variable fields of the IP header (Figure 7.3).
The variable fields of the IPv4 header are set at ZERO to calculate the authentication digest:
The set of IPv4 header options is considered as a single entity. Some options can be modified by an intermediary router. If a single modifiable option appears, then the set of options is set at ZERO for the authentication digest calculation.
The variable fields of the IPv6 header are set at ZERO for the authentication digest calculation. These are identical fields to the ones in the IPv4 header (DSCP, ECN and Hop Limit), as well as the Flow Label field.
The Hop-by-Hop and Destination extensions of the IPv6 header have a bit that indicates whether the option can be modified by an intermediary router or not. If this bit is set at ONE, then the extension is set at ZERO for the authentication digest calculation.
When the ESP header is used in transport mode, the confidentiality service is applied to the encapsulated data and ESP tail. Authentication and integrity services cover the ESP header, encapsulated data and ESP tail (Figure 7.4).
When the ESP header is used in tunnel mode, the confidentiality service is applied to the source IP packet and ESP tail. Authentication and integrity services cover the ESP header, source IP packet and ESP tail (Figure 7.4).
Note that in transport mode, the Destination extension can appear before, after or simultaneously before and after the AH or ESP extension.
The IKEv2 protocol is more simplified than the previous version. It combines the functionalities defined in IKEv1 and Internet security association and key management protocol (ISAKMP) while removing unnecessary processes. It eliminates the generic character of the previous version, integrating the domain of interpretation (DOI) function, which defines the parameters specific to the ESP/AH security association.
Each IKEv2 message is composed of a header (HDR) and a sequence of blocks. The IKEv2 message is encapsulated by a UDP header with source and destination port values of 500 or 4500. When the 4500 port is used, the IKEv2 message is preceded by four bytes at ZERO.
The header of the IKE message contains the following fields (Figure 7.5):
Initiator’s SPI: this field, coded on eight bytes, incorporates a value chosen by the initiator. It initializes identification of the IKE security association.
Responder’s SPI: this field, coded on eight bytes, incorporates a value chosen by the responder. It completes the identification of the IKE security association.
Next Payload: this field, coded on one byte, incorporates the indication of the type of block following the header (Table 7.1).
Major Version: this field, coded on four bits, indicates the maximum value of the IKE protocol version that can be used. This value is equal to 2 for the implementation of the IKEv2 protocol.
Minor Version: this field, coded on four bits, indicates the minimum value of the IKE protocol version. This value is equal to 0 for the implementation of the IKEv2 protocol.
Exchange Type: this field, coded on one byte, indicates the type of exchange to which the message belongs:
Each type of exchange imposes a certain number of required blocks composing the message and defines optional blocks.
Table 7.1. Block types
Notation | Designation |
SA | Security Association |
KE | Key Exchange |
Idi | Identification – initiator |
IDr | Identification – responder |
CERT | Certificate |
CERTREQ | Certificate Request |
AUTH | Authentication |
Ni | Nonce – initiator |
Nr | Nonce – responder |
N | Notification |
D | Delete |
V | Vendor ID |
TSi | Traffic Selector – initiator |
TSr | Traffic Selector – responder |
SK | Encrypted and Authenticated |
CP | Configuration |
EAP | Extensible Authentication |
Flags: this field includes the following three flags:
Message ID: this field, coded on four bytes, is an identifier used to control the retransmission of lost messages and to correlate the request and response. It also protects against replay attacks.
Length: this field, coded on four bytes, includes the IKE message size.
Each block starts with a generic header containing the Next Payload field, the C (Critical) bit and the Payload Length field (Figure 7.6).
The Next Payload field indicates the type of block that comes next, thus enabling chaining.
The C bit determines the process to be executed when the receiver does not recognize the block:
The SA block is used for the negotiation of the parameters of IKE and ESP/AH security association. An SA block can contain several proposals (P) ranked in order of preference. Each proposal defines a protocol (IKE, ESP or AH) and the value of the SPI. Each proposal includes several transformations (T), and each transformation includes one or more attributes (A).
The transformation T involves the following operations:
The attribute A specifies the length of the encryption algorithm key defined in the ENCR transformation. The other transformations, PRF, INTEG, D-H and ESN have no attributes.
The key exchange (KE) block contains the public Diffie–Hellman value, enabling each end point (initiator and responder) to construct a shared secret. The block also mentions the D-H group defined in the SA block.
Identification initiator (IDi) and identification responder (IDr) blocks contain an identification of the initiator of the IKE message and the responder. This identification is based on an IPv4 or IPv6 address, a name, a messaging address or a group of bytes.
The certificate (CERT) block provides a means of transporting a certificate or information pertaining to authentication.
The certificate request (CERTREQ) block is a request pertaining to a certificate. It is used in the response of the IKE_INIT_SA exchange response or in the IKE_AUTH exchange request. It also indicates the certification authority for the required certificate.
The authentication (AUTH) block contains the authentication digest (signature or seal) for the third-party authentication. The block also specifies the method used.
Nonce initiator (Ni) and nonce responder (Nr) blocks contain a random number generated by the initiator and responder. These numbers are used in the creation of derived keys.
The notification (N) blocks contain error messages indicating the reason why the security association cannot be established.
The N block also contains status messages that an SA management process wishes to communicate to a remote process.
The delete (D) block includes the SPI of the SA that the message source wishes to delete. For an AH or ESP, it is possible to specify several SPI values. It is also possible to string several D blocks together in a single IKEv2 message.
The vendor ID (V) block announces that the message source is capable of accepting private extensions of the IKEv2 protocol. These extensions can involve the introduction of new blocks, new types of exchange or new notification information.
The traffic selector (TS) block identifies the flows for which the ESP/AH security association is implemented. Flow determination is based on the following information:
The SK (encrypted and authenticated) block is always located at the end of the IKEv2 message. The encryption and integrity algorithms for the IKEv2 message are negotiated during the implementation of the IKEv2 SA.
The configuration (CP) block is used to exchange configuration information between the two end points. In the case of an ESP/AH security association between a host and a security gateway, the host can request information concerning a host in the protected network.
The extensible authentication protocol (EAP) block enables the use of EAP in IKEv2 message for authentication.
The first exchange, IKE_SA_INIT, negotiates cryptographic algorithms and random numbers and executes a Diffie–Hellman exchange in order to create an IKE security association.
The initiator generates an IKE message containing the header (HDR) and the SAi1, KEi and Ni blocks. The header contains the initiator’s SPI, version numbers and flags. The SAi1 block contains the cryptographic algorithms proposed by the initiator for the IKE security association. The KEi block includes the Diffie–Hellman group and public value. The Ni block displays the initiator’s random number (Figure 7.7).
The responder chooses a cryptograph series from the initiator’s proposals and includes it in the SAr1 block. It completes the exchange of Diffie–Hellman keys with the KEr block. It sends its random number in the Nr block (Figure 7.7). It can possibly communicate a list of certificate authorities in the CERTREQ block.
At this stage of the negotiation, each end point can generate the SKEYSEED key. The keys used for encryption and integrity of IKE messages are produced by the SKEYSEED key and are known as SK_e (encryption) and SK_a (integrity). Message protection involves only the blocks; the header is not included.
The two different directions of traffic use different keys. The keys used to protect messages from the initiator are SK_ai and SK_ei. The keys used to protect messages in the other direction are SK_ar and SK_er.
Other keys are also derived from the SKEYSEED key. The SK_d key is used to derive the keys used in the ESP/AH security association.
The SKEYSEED key is calculated using the Diffie–Hellman secret (D-H key) and the random numbers Ni and Nr:
The keys SK_d, SK_ai, SK_ar, SK_ei, SK_er, SK_pi and SK_pr are generated as follows:
The second exchange, IKE_AUTH, is used to authenticate previous IKE messages and communicate identities and possibly exchange certificates, as well as to establish the first AH/ESP security association. These messages are completely encrypted and protected by the keys established during the IKE_SA_INIT exchange.
The initiator indicates its identity with the IDi block. It authenticates its identity and protects the integrity of the first message in the IKE_SA_INIT exchange using the AUTH block.
It can possibly send its certificate in the CERT block and the certification authority’s identity in the CERTREQ block. In this case, the AUTH block contains the initiator’s signature (Figure 7.8).
The optional IDr block enables the initiator to specify which of the responder’s identities it wishes to communicate with (Figure 7.8).
The initiator starts the negotiation of the AH/ESP security association with the SAi2 block. The TSi block specifies the characteristics of the packets transferred by the initiator. The TSr block specifies the address for packets transferred to the responder (Figure 7.8).
The notation SK{ … } indicates that the blocks are completely encrypted and protected (Figure 7.8).
The responder communicates its identity in the IDr block. It may send a certificate. It authenticates its identity and protects the integrity of the second message of the IKE_SA_INIT exchange. It completes the negotiation of the ESP/AH security association with the SAr2 block (Figure 7.8).
The CREATE_CHILD_SA exchange is used to create the ESP/AH security association and to renew the keys of the IKE and ESP/AH security association.
For the exchange involving the creation of the ESP/AH security association, the initiator finalizes it in the SA block and the traffic selectors proposed for the SA in the TSi and TSr blocks. It transmits a random number in the Ni block and optionally a Diffie–Hellman value in the KEi block (Figure 7.9).
The responder confirms the offer in the SA block. It transmits a Diffie–Hellman value in the KEr block, if the KEi block has been included in the request (Figure 7.9).
The KEYMAT key, used for the ESP/AH security association, is derived from the SK_d key and the random numbers Ni and Nr. If the exchange contains Diffie–Hellman values, then the secret D-H key obtained also participates in the creation of the KEYMAT key:
To renew the IKE SA key, the initiator sends the parameters in the SA block, a random number in the Ni block and a Diffie–Hellman value in the KEi block. The initiator’s new SPI is provided in the SA block (Figure 7.10).
The responder confirms the offer in the SA block. It transmits a Diffie–Hellman value in the KEr block. The responder’s new SPI is provided in the SA block (Figure 7.10).
The new SKEYSEED key is computed from the old key SK_d, the secret key D-H and the random numbers Ni and Nr.
To renew the ESP/AH SA key, the messages transmitted by the initiator and the responder are similar to the ones used in the creation of the security association. The initiator’s request contains an N block (REKEY_SA) containing the SPI value of the new security association (Figure 7.11).
The IPSec mechanism is implemented for the establishment of the SWu tunnel, at the end of the authentication phase using the 802.1x mechanism described in Chapter 6, the mobile acting as the initiator and the evolved packet data gateway (ePDG) of the responder (Figure 7.12).
The mobile does not transmit the AUTH block in order to warn the ePDG entity that it wishes to use the IKEv2 message to transport the EAP-AKA method.
The identity of the mobile conforms to the network access identifier (NAI) format containing the international mobile subscriber identity (IMSI) during the first authentication, or during the following authentications, a pseudonym or an identifier for the rapid renewal of authentication.
The mobile transmits the CP block (CFG_REQUEST) in the IKE_AUTH Request message to obtain its IPv4 and/or IPv6 address, and possibly the IP address of the PGW entity, in the case where the mobility is managed by the mobile.
NAI analysis allows the AAA server to distinguish between authentication for trusted Wi-Fi access based on the EAP-AKA’ mechanism and authentication for untrusted Wi-Fi access based on the AKA mechanism.
The HSS entity generates the RAND sequence and creates the seals (RES and AUTN) and the keys (CK and IK) from the Ki key and the RAND sequence.
The AAA server derives the CK and IK to generate the master session key (MSK).
The mobile verifies the signature of the message IKE_AUTH Response with the public key of the ePDG entity retrieved from its certificate.
The mobile generates the RES, AUTN, CK and IK parameters from the Ki key and the received RAND sequence and compares the received AUTN seal with the locally calculated one. If both seals are identical, the AAA server is authenticated.
The mobile derives both CK and IK to generate the master key (MSK).
The ePDG entity responds with the message IKE_AUTH Response containing in the AUTH block a seal calculated from its MSK, which enables authentication of the second message IKE_SA_INIT.
The message IKE_AUTH Response is also used to transfer to the mobile its configuration in the CP block (CFG_REPLY) and the final configuration of the SWu tunnel in the SA block.
The mobile configuration was received from the PGW when establishing the S2b tunnel described in Chapter 8.
The procedure for rapid renewal of authentication is described in Figure 7.13.
Steps 1 to 4 are identical to those described for the establishment of the SWu tunnel in Figure 7.12.
The identifier for rapid renewal of authentication is transmitted in the IDi block of the first message IKE_AUTH Request.
The message AKA Reauthentication EAP Request/EAP-Method is included to start the EAP procedure on IKEv2.
Steps 9 to 12 are identical to steps 13 to 16 described for the establishment of the SWu tunnel in Figure 7.12.
The new MSK is generated by the AAA server and passed to the ePDG entity and the mobile. This new key is used to authenticate the first two IKE_SA_INIT messages.
3.149.238.159