BRKSEC-3001 - Advanced IKEv2 Protocol

Download as pdf or txt
Download as pdf or txt
You are on page 1of 77

Advanced IKEv2

Protocol

Jay Young, CCIE - Technical Leader, Services


BRKSEC-3001
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKXXX-xxxx


available until July 3, 2017.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda

• IP Security overview
• IKEv1 – Protocol Overview
• IKEv1 – Everything is good,
right?
• IKEv2 – Protocol Overview &
Comparison
• Summary
IP Security Overview
… or at least back to 1998
• A need for a standard secure method to communicate over the Internet
• Architecture needed:
• Multiple Strong Authentication Methods
• Anti-clogging (DoS)
• Prevent Connection Hijacking
• Linking key exchange with authentication
• Prevent Man-in-the-middle attacks
• Interception, insertion, deletion, replay, redirection
• Encryption
• Integrity

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
IP security overview

• A collection of 12 RFCs published to define IP Security (IPsec)

• Some were very high level architectural designs

• Some were very low on roles, responsibilities and functions

• Numerous other RFCs defined to add shortcomings

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
IP Security Overview Cipher/Hash

Key Exchange RFC2403 RFC2410


Architecture ESP-NULL
HMAC-MD5
RFC2412
OAKLEY RFC2401 RFC2404
RFC2408 Sec Arch for IP HMAC-SHA-1
ISAKMP RFC2405
ESP w/ DES
RFC2411
IPsec Doc

Traffic Encapsulation
Protocols Protocol Definition +many more minor additions
RFC2402
RFC2406 AH RFC2407 NAT-T
ESP IPsec DOI RFC3947+3948
RFC2409
IKEv1

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ISAKMP
• ISAKMP defines two phases:

• Phase 1
• Used for control plane
• Establish secure channel between peers
• Prove identities
• Negotiate data plane security settings

• Phase 2
• Used for data plane
• Transports the protected data

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
IKEv1 – Protocol Overview
IKEv1
• There are two different ‘modes’ for building Phase 1
• Main Mode
• 6 packet exchange
• Full Identity protection (protects against passive surveillance)
• Better Anti-DoS protection

• Aggressive Mode
• 3 packet exchange
• Identities passed in the clear
• Responder must authenticate himself first
• PSK can be retrieved by an offline brute-force attack
• Trivial to DoS
• Faster session establishment

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
IKEv1- Main Mode (message 1 and 2)
• The first two messages are used to negotiate the following cryptographic
attributes:
• Authentication method*
• Encryption cipher*
• Integrity hash*
• Lifetime of Security Association
• Diffie-Hellman Key Exchange Group *
• Initiator proposes a list of combinations of the starred (*) above
• Responder picks one of the combinations proposed
• Lifetime is MIN(initiator, responder)
• NOT encrypted – Peer NOT authenticated yet

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
IKEv1- Main Mode (MM1)
Initiator Responder
HDR
cookie:
• initiator = X (randomly generated number per session)
• responder = 00000000,
SA (multiple crypto policies),
Vendor IDs – String or hash value. Used to advertise support
for capabilities not defined in standard (i.e. NAT-T)

MM1

Unencrypted – Unauthenticated
Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
IKEv1- Main Mode (MM2)
Initiator Responder
HDR
cookie:
• initiator = X (retained)
• responder = Y (randomly generated per session),
SA (the selected crypto policy),
Vendor IDs – String or hash value. Used to advertise support
for capabilities not defined in standard (i.e. NAT-T)

MM2

Unencrypted – Unauthenticated
Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
IKEv1- Main Mode (message 3 and 4)
• Exchange Diffie-Hellman key values

• Exchange Nonce values

• Detect if NAT is used between peers

• Suggest trusted certificate authorities (CA)

• After this exchange, further communication is encrypted and secure.

• Peer NOT authenticated yet.

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
IKEv1- Main Mode (MM3)
Initiator Responder
HDR (cookie i=X,r=Y)
Diffie-Hellman Key Exchange material (g^xi)
Nonce from initiator (random data [entropy + anti-replay])
Additional Vendor IDs
NAT-Discovery Payloads

MM3

Unencrypted – Unauthenticated
Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
IKEv1- Main Mode (MM4)
Initiator Responder
HDR (cookie i=X,r=Y)
Diffie-Hellman Key Exchange material (g^xr)
Nonce from responder (random data [entropy + anti-replay])
Additional Vendor IDs
NAT-Discovery Payloads
[Certificate Request] – Hints of which CAs the responder trusts

MM2

Unencrypted – Unauthenticated
Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Diffie-Hellman Groups
Number Name
1 Group 1 - 768-bit MODP Group
2 Group 2 - 1024-bit MODP Group
5 1536-bit MODP Group
14 2048-bit MODP Group
15 3072-bit MODP Group
16 4096-bit MODP Group
17 6144-bit MODP Group
18 8192-bit MODP Group
19 256-bit random ECP group
20 384-bit random ECP group
21 521-bit random ECP group
22 1024-bit MODP Group with 160-bit Prime Order Subgroup
23 2048-bit MODP Group with 224-bit Prime Order Subgroup
24 2048-bit MODP Group with 256-bit Prime Order Subgroup
25 192-bit Random ECP Group
26 224-bit Random ECP Group
Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Diffie-Hellman Primer
p=23 g=5 p and g are constants defined by DH Group
Alice Alice
g^a mod p = A = 5^6 mod 23 = 15,625 mod 23 = 8
a=6 b=15

g^b mod p = A = 5^15 mod 23 = 30,517,578,125 mod 23 = 19

s = B^a mod p A^b mod p = s


s = 19^6 mod 23 8^15 mod 23 = s
s = 47,045,881 mod 23 35,184,372,088,832 mod 23 = s
s=2 2=s
Reference
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
IKEv1- KEYS
• From the derived secret value a SKEYID is created using values from the ISAKMP
exchange.
• Provides protection against replay attacks using the same DH values.
• Different SKEYID generation based on authentication type:
• Pre-shared-key: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
• Signatures (Certs): SKEYID = prf(Ni_b | Nr_b, g^xy)
• Then from that SKEYID three sub-keys are created:
• SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) - For further keying material derivation
• SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) - Authentication Key
• SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) - Encryption Key

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
IKEv1- Main Mode (message 5 and 6)
• Exchange certificate

• Prove identity using Pre-Shared Key or Certificate

• Cryptographically validate previous messages – prevents session hijack

• Switched to UDP/4500 if NAT had been detected in MM3+4

• Encrypted – Peer is proving identity.

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
IKEv1- Main Mode (MM5)
Initiator Responder
HDR (cookie i=X,r=Y)
Identity (a string value representing who I am)
Auth payload (cryptographic proof-of-possession built from pre-
shared-key or digital signature)
[Initial Connect] – Optional payload to help synchronize SAs
[Certificate] – Copy of initiator’s ID cert + chain
[Certificate Request] – Hints of which CAs the initiator trusts

MM5
Encrypted
Initiator: Proving identity
Responder: Unauthenticated Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
IKEv1- Main Mode (MM6)
Initiator Responder
HDR (cookie i=X,r=Y)
Identity (a string value representing who I am)
Auth payload (cryptographic proof-of-posession built from
preshared-key or digital signature)
[Certificate] – Copy of responder’s ID cert + chain

MM6
Encrypted
Initiator: Authenticated
Responder: Proving identity Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
IKEv1 – Main Mode Summary
Initiator Responder

MM1 (HDR, SA, VID) Negotiate


Unauthenticated

crypto
Unencrypted +

MM2 (HDR, SA, VID) settings

MM3 (HDR, Nonce, KE, VID) Secret


key
MM4 (HDR, Nonce, KE, VID, [CERT-REQ]) exchange
Unauthenticated
Encrypted but

MM5 (HDR, IDi, AUTH, [IC], [CERT],[CERT-REQ]) Prove


MM6 (HDR, IDr, AUTH, [CERT]) identity

Phase 1 complete – Encrypted & Authenticated


BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
IKEv1 – Aggressive Mode Summary
Initiator Responder
Unauthenticated

Negotiate
Unencrypted +

crypto
AM1 (HDR, SA, KE, Nonce, IDi, VID) settings + 1st
½ of key
exchange
Unencrypted but

Negotiate crypto
Authenticated

AM2 (HDR, SA, KE, Nonce, VID, IDr, AUTH ) settings + 2st ½
Responder

of key exchange
AUTH payload hashed using portions of AM1+2 and derived SKEYID + responder
proves identity
Authenticated
Encrypted +

Initiator
AM3 (HDR, IDi, AUTH) proves
identity
Phase 1 complete – Encrypted & Authenticated
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
IKEv1 – Phase 1
• 1st Phase is already built: it provides security and proof with whom you are
communicating with
• The following operations occur over this Phase 1 SA:
• Dead Peer Detections (keepalive messages)
• Negotiation and Establishment of ESP and AH SAs (Phase 2)
• Notifications (Teardown/Deletion)
• Xauth (Username/Password Authentication) – Remote access
• Mode_CFG (IP address assignment, DNS, etc.) – Remote access

• In most deployments Phase 2 is IPsec, but other DOIs exist (e.g. GDOI).

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
IKEv1 – Quick Mode Phase 2
• Quick mode allows the establishment of an IPsec SA in three messages
• Things negotiated:
• Traffic to be protected
• How to be encapsulated
• How to be encrypted
• How to provide integrity
• How long the SA is valid for in time and volume of data
• If Perfect Forward Secrecy (PFS) is required

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
IKEv1- Quick Mode (QM1)
Initiator Responder

HASH(1)
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information

QM1

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
IKEv1- Quick Mode (QM2)
Initiator Responder

HASH(2)
SA (Transform set, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Selected Traffic Selectors
NAT address information

QM2

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
IKEv1- Quick Mode (QM3)
Initiator Responder

HASH(3) – Essentially just an ACK

QM3

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
IKEv1- Quick Mode Summary
Initiator Responder
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information

QM1 - Request

QM2 – Yes or No

Just an ACK
QM3

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
IKEv1 – Everything’s good, right?
IKEv1 – Challenges
• NAT breaks things™
• What do you mean certificates don’t scale?

• So many keys which one do I use?

• Hello… Hello…

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
IKEv1 – NAT breaks things™
• IPsec uses IP protocol 50 (ESP) and 51 (AH)
• 1:1 NAT
• AH can’t work – Integrity check performed over IP address fields + payload
• ESP can work – Integrity check performed only over payload

• N:1 Port Address Translation (PAT)


• Rule of Thumb – Only TCP and UDP can reliably be NATted
• ESP doesn’t have ports ∴ ESP can’t work through PAT

• Solution: Encapsulate ESP packets within UDP

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
IKEv1 – NAT-T
• Solution: Encapsulate ESP packets within UDP when going through NAT
• NAT/PAT devices only see UDP packets.
• Port 4500 is reserved for IPsec over UDP
• Support for NAT-T was added with RFC 3947 and 3948

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
IKEv1 – Determine if NAT is in path
IP Addr: A NAT device A->C IP Addr: B

MM1 – VID (I can do NAT-T) MM1 – VID (I can do NAT-T) Advertise


IP A->B Port 500->500 IP C->B Port 1434->500 NAT-T
support
MM2 – VID (I can do NAT-T) MM2 – VID (I can do NAT-T)
IP B->A Port 500->500 IP B->C Port 500->1434

Initiator computes hashes and Responder computes + compares


includes them inside packet hashes against ones inside packet Initiator Hash
different ->
Hash(IP A + Port 500) Hash(IP B + Port 500) Hash(IP C + Port 1434) Hash(IP B + Port 500) behind NAT

Responder
MM3 – VID MM3 – VID Hash same ->
IP A->B Port 500->500 IP C->B Port 1434->500 not behind NAT

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
IKEv1 – Determine if NAT is in path
IP Addr: A NAT device A->C IP Addr: B
Initiator Hash Initiator computes + compares Responder computes hashes and
different -> hashes against ones inside packet includes them inside packet
behind NAT Hash(IP A + Port 500) Hash(IP B + Port 500) Hash(IP C + Port 1434) Hash(IP B + Port 500)

Responder
Hash same -> MM4 – MM4 –
not behind NAT IP B->A Port 500->500 IP B->C Port 500->1434

Both Initiator and Responder both know who is behind NAT

Switch to MM5 - IP C->B Port 6234->4500


MM5 - IP A->B Port 4500->4500
UDP/4500

MM6 – IP B->A Port 4500->4500 MM6 – IP B->C Port 4500->6234

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
IKEv1 – NAT-T
• Normal Case:
• UDP/500 for control channel
• ESP or AH for data channel

• Problem: Stateful firewalls (NAT devices) can prevent the control channel
communication due to inactivity even when data channel is actively used.

• NAT Case:
• Send both control channel and data channel over UDP/4500

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
ESP Payload
SPI SEQ DATA TRAILER

IKEv1 – NAT-T Unencrypted Encrypted

IP Addr: A NAT device A->C IP Addr: B


Data Traffic

ESP Payload

IP A->B | UDP Port 4500->4500 | ESP Payload IP C->B | UDP Port 6234->4500 | ESP Payload

Control Traffic

0000 + IKE Message

IP A->B | UDP Port 4500->4500 | 0000 + IKE Message IP C->B | UDP Port 6234->4500 | 0000 + IKE Message

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
IKEv1 – Certificates
• Authentication can use certificates
• Problem 1: Peer must know which CAs are trusted by peer
• Explicit configuration doesn’t scale

• Solution 1: RFC4945 – Prior to AUTH provide a list of trusted CAs to peer


• In MM4 – Responder sends list of CA he trusts
• In MM5 – Initiator sends list of CA he trusts.

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
IKEv1 – Certificates
Initiator Responder

Subject
CA4 CA1
ID4 CA2

Subject
CA2 CA3
ID2


Subject
CA5
MM4 (HDR, Nonce, KE, VID, [CERT-REQ])

MM5 (HDR, IDi, AUTH, [IC], [CERT],[CERT-REQ])

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
IKEv1 – Pre-shared-keys
• Keys are linked to an identity
IP address, FQDN, Email, Distinguished Name

• Identities are shared in MM5 and MM6


• The PSK is part of key generation
?
• Crypto keys are generated in MM3 and MM4
• PSK lookup can ONLY be done on IP address
• If remote devices have dynamic addresses, then use wildcard key (not best
practice)
• Workaround: Use Aggressive mode
• Caveat: Aggressive mode is less secure

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
IKEv1 – Dead Peer Detection
• Problem: We haven’t received any packet from our peer.
Is he dead or just nothing to say?
• Solution: RFC 3706 - Send a message asking if he is alive

Peer1 Peer2

Notify(R-U-THERE)

Notify(R-U-THERE-ACK)

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
IKEv2 – Overview (Finally!)
IKEv2 – Goals (What did we learn)
• Define IKEv2 in one document rather than a combination of many
• Reduce setup latency by reducing number of messages
• More secure
• Always provide identity protection (No Aggressive mode)
• PSK is not used in crypto key generation*
• Provide additional authentication mechanisms (EAP)
• Allow more flexible authentication choices (asymmetrical)
• Exchange of routes and attributes
• Reduce number of options/methods – simplify implementations

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
IKEv2 – Session Establishment Overview
Initiator Responder
Negotiate
Unauthenticated
Unencrypted +

IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D) crypto


settings,
secret key
exchange,
IKE_SA_INIT Res (HDR, SA, VID, KE, Nonce, NAT-D, [CERT-REQ]) NAT detection

Prove
Unauthenticated

IKE_AUTH (HDR, IDi, AUTH, CREATE_CHILD_SA, N(IC), [CERT],[CERT-REQ]) identity


Encrypted but

and
create
phase 2
IKE_AUTH (HDR, IDr, AUTH, CREATE_CHILD_SA, [CERT])
SA

Phase 1 complete – Encrypted & Authenticated


BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
IKEv1 vs IKEv2 – Session Establishment Overview
MM1 (SA, VID)
IKE_SA_INIT Req
MM2 (SA, VID)

MM3 (Nonce, KE, VID, NAT-D)


IKE_SA_INIT Res

MM4 (Nonce, KE, VID, NAT-D, [CERT-REQ])

MM5 (IDi, AUTH, [IC], [CERT],[CERT-REQ])

IKE_AUTH Req
MM6 (IDr, AUTH, [CERT])

QM1 (SA, TS, [NAT-OA])


IKE_AUTH Res
QM2 (SA, TS, [NAT-OA])

QM3
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
IKEv2 – 2nd Child SA Establishment

Initiator Responder
SA (Transform sets, SPI)
Nonce (for replay protection)
[Key Exchange] (if PFS is desired)
Proposed Traffic Selectors
NAT address information

CREATE_CHILD_SA Req

CREATE_CHILD_SA Res

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
IKEv2 is super-hero
fast right?
IKEv2 – Faster exchange right?
• “It depends!”
• Exponentiation is done after 1st packet
• Vulnerable to DOS spoofing attack!
• When IKEv2 *might* be under attack, add another exchange prior to
exponentiation to confirm source reachability hmmm… Am

• Generate a cheap stateless cookie (similar to TCP SYN-cookies) I under attack?

IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D) +

IKE_SA_INIT Res (HDR, N(COOKIE))


copy


IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D, N(COOKIE)) +
=

IKE_SA_INIT Res (HDR, SA, VID, KE, Nonce, NAT-D, [CERT-REQ])

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
IKEv2 – Faster exchange right? Part 2
• Key establishment is done in first two packets.
• Initiator must guess which DH group his peer will accept
• If wrong/unacceptable group is sent, responder will hint and say ‘try again’

DH mismatch.
Try again with
group 14

IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D)

IKE_SA_INIT Res (HDR, N(INVALID_KE_PAYLOAD))

IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D) OK good this
time!

IKE_SA_INIT Res (HDR, SA, VID, KE, Nonce, NAT-D, [CERT-REQ])

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
IKEv2 – Faster exchange right? Part 3
• EAP authentication of client
• EAP messages are carried within IKE_AUTH messages
• Adds multiple IKE exchanges back and forth between client and NAS
• N x exchanges – Depends on EAP method

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
IKEv2 – EAP Authentication
• EAP authentication of client.
• Adds N number of additional exchanges between peers
I AAA Server
n
i IKE_SA_INIT Req (HDR, SA, VID, KE, Nonce, NAT-D)
t
i IKE_SA_INIT Res (HDR, SA, VID, KE, Nonce, NAT-D, [CERT-REQ])
a IKE_AUTH (HDR, IDi, CREATE_CHILD_SA, N(IC), [CERT],[CERT-REQ])
t
o IKE_AUTH (HDR, IDr, AUTH, [CERT],EAP)
r
IKE_AUTH (HDR, EAP) RADIUS
N N
times times
IKE_AUTH (HDR,EAP)

IKE_AUTH (HDR, AUTH)

IKE_AUTH (HDR,AUTH, CREATE_CHILD_SA )

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
IKEv2 – Faster exchange right? Part 4
• 4 packets for basic exchange
• +2 for Anti-spoofing (if detected)
• +2 for incorrect DH group
• +(2 x N) exchanges for EAP Authentication

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
IKEv2’s shiny
super abilities
IKEv2 – More Secure!!!!!
• Reuses encapsulation model from ESP for all IKEv2 messages
• Certificate Request are obfuscated
• Support for combined mode ciphers (AEAD)
• EAP versus XAUTH
• No need for a group pre-shared-key
• NAS never sees user/password in clear

• Initiator must prove identity first (except w/ EAP)


• Suite-B support - Next Gen Encryption
• Session keys are not based on PSK
• Allows for scalable AAA based PSK lookup

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
IKEv2 – Flexible Authentication Methods
• Unlike IKEv1, authentication is done uni-directionally in IKEv2
• Different pre-shared-keys can be used for local and remote
• Different authentication methods can be used for local and remote
• Example on IOS:
Peer can use either:
crypto ikev2 profile Profile1
EAP
identity local fqdn hub.example.com
Pre-Shared-Key
authentication remote pre-share
authentication remote eap
authentication local rsa-sig We will use certificate

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
IKEv2 – Rekeys
IKEv1 IKEv2

IPSec SAs can let parent Phase-1 expire. IKEv2 always-on SA. If IKEv2 dies it deletes child
New Phase-1 setup when DPD or rekey needed IPSec SAs.

Lifetimes are negotiated and tracked on both sides. Lifetimes are locally significant. Whichever peer’s timer
pops first sends a Delete for the SA

Phase-1 rekey is a complete whole new handshake Phase-1 rekey is handled in CREATE_CHILD_SA
(forces re-authentication). exchange (no re-authentication).

RFC4478 – Adds support for Re-authentication (no


support in IOS yet)

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
IKEv2 – Notifications/Deletes
• In IKEv1 Notifications are ‘fire and forget’
• In IKEv2 Notifications are exchanges – need to be ACKed
• Problem if peer has died!
• Need to wait until re-xmits complete before delete SA from DB

Reference

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
IKEv2 – Attribute Exchange
• Config Request/Reply - Solicited Typical DMVPN Tunnel Deployment
• Remote access use case:
• IP address Every 5 seconds send:
• DNS 74 byte EIGRP hello packet
• WINS
• Split-tunnel
168 byte ESP packet
• Config Set/Ack – Unsolicited
• IKEv2 routing 175 MegaBytes per spoke,
• Version info per month
• Extensible for future

$$$$$ if on metered ISP


(4G, Satellite)

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
IKEv2 – Fragmentation
• Large IKE messages make large UDP datagrams
• Packets get fragmented at IP layer
• Filtering/Blocking of fragments causes protocol failure
• Solution: Fragment at Application layer
• IKEv1 – Proprietary
• Encrypt then segment across multiple UDP packets
• IKEv2 – Standard, RFC7383
• Segment then encrypt

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Where to use?
FlexVPN – Simplified IOS implementation
• Smart defaults
• Virtual Tunnel Interface based (point-to-point)
• Interoperability
• Unified configuration
• Multiple redundancy options
• Simple config for basic topology
• Customizable for complex network requirements
• More explicit and easier to understand debugs

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Almost everything is already taken care for you!
hostname site1 Just provide:
!
interface Tunnel0
ip address 10.1.12.1 255.255.255.0 Who to connect to
tunnel source Ethernet0/1
tunnel destination 172.18.3.52
tunnel protection ipsec profile ipsecProf1 &
!
crypto ipsec profile ipsecProf1
set ikev2-profile ikev2Prof1 Password
!
crypto ikev2 profile ikev2Prof1
match identity remote address 172.18.3.52 255.255.255.255
authentication local pre-share key key2
authentication remote pre-share key key1

Site1 Site2
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FlexVPN Supported Deployment models:
Site-to-Site
Spoke-to-Spoke
IKEv2 also supported with:
• DMVPN/iWAN 2.x
• Crypto maps
• GET-VPN (G-IKEv2)

Hub and Spoke


Remote Access
Windows
OS X and iOS
Android
Strongswan
Anyconnect
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
FlexVPN Redundancy models
HSRP/IKEv2 Tunnel Source Pivot
Always On
Site-to-Site Backup Peer
Site-to-Site Site-to-Site
Load Balancing Cluster
Hub-1
Hub-1 Hub-2 Hub-1 Hub-2 Hub-1 Hub-2 Hub-N Hub-1

VIP

ISP-1 ISP-2

Hub and Spoke Hub and Spoke

• Two Tunnels • One Tunnel • One Tunnel • One Tunnel


• Routing Protocol • Detect failure • Connect to Master • 2 ISPs
• Route around issue • Contact backup • Redirected to node • Change source of
tunnel

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
IKEv2 – IOS better debugs
• Debugs are well structured and explicit
• Mirrors the protocol flow
• Delineates the transitions in Finite State Machine

IKEv2:(SESSION ID = 3,SA ID = 1):Sending Packet [To 172.20.5.43:500/From 172.18.3.52:500/VRF i0:f0]


Initiator SPI : 3D336F01678C442D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

IKEv2:(SESSION ID = 3,SA ID = 1):Received Packet [From 172.20.5.43:500/To 172.18.3.52:500/VRF i0:f0]
Initiator SPI : 3D336F01678C442D - Responder SPI : 57A175F05AE0C0DC Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Related Sessions

• BRKSEC-2881 – Designing Remote-Access and Site-to-Site IPSec


Networks with FlexVPN
• Piotr Kupisiewicz – Cisco Services Customer Support Engineer

• BRKSEC-3054 – IOS FlexVPN Remote Access, IoT and Site-to-Site


advanced Crypto VPN Designs
• Frederic Detienne – Cisco Services Distinguished Engineer

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco Press Book ‘IKEv2 IPsec VPNs’ by Amjad Inamdar & Graham Bartlett

Customer Reviews
One of the best technical books I've read
This book is the IKEv2 VPN equivalent of Jeff Doyle's Routing TCP/IP Vol 1 & 2 - a must read
for any network security engineer wanting to design and build secure VPN's. One of the best
technical books I've read.

Superb book and well worth the money for anyone even thinking about Cisco crypto
This book is the most comprehensive book on IKEv2 for Cisco network engineers that you
will find and is all about real-world scenarios.

Definitive guide on modern IPsec VPN theory and practice


Many times I wish I had a book like this to help distill many complex IETF RFCs into “plain
English” and provide practical and actionable security best practices.

Highly recommended for anyone on the CCIE Security track or anyone


If you need to really understand IKEv2 and FlexVPN, this is the book that will get you there.
Be warned, it's not for the faint of heart ...

The best book on IKEv2 IPsec VPNs


The book is awesome! I appreciate authors' work on presenting deeply technical topics in
extremely easy to understand manner.

Finally, all you need to know about FLEX in one place!


Well written , concise and accurate. An absolute must for anyone designing, supporting or
troubleshooting IKEv2 VPNs. You too can become a FLEX expert!

Most comprehensive VPN reference


This the most comprehensive book on IKEv2 and IPSec I have come across. If anyone is
interested in Cisco VPN solutions, this is the book to look for.

Extremely well written book on Nextgen Crypto VPN technologies


https://www.amazon.com/IKEv2-IPsec-Virtual-Private The authors have immense experience in the domain which is very evident in the way every
Networks/dp/1587144603/ topic is explained brilliantly. A must have book if you are into Security.!

Brilliant
Listed in the CCIE Security reading list It's well worth the money. I feel like I know the subject thoroughly now. I don't usually leave
https://learningnetwork.cisco.com/community/certifications/ reviews but was motivated to in this instance. Good job, highly recommended.
ccie_security/written_exam/study-material
Great Book
Very in depth and detail explanations. It has greatly enhanced my understanding of IKEv2,
IPSec, and Cisco's implementations.
BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Summary
Summary
• IKEv1 works well, but needed many add-ons to shine
• IKEv2 built those add-ons into standard
• IKEv2 easier to understand + troubleshoot
• IKEv2 has better security model + SuiteB support
• v1 and v2 are incompatible
• IOS (FlexVPN) simplifies config, allows vendor interoperability and highly
scalable

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be


available for viewing on demand after the
event at www.CiscoLive.com/Online.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Thank you
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
Understanding Cisco Cybersecurity The SECFND course provides understanding of CCNA® Cyber Ops
Fundamentals (SFUND) cybersecurity’s basic principles, foundational knowledge, and
core skills needed to build a foundation for understanding
more advanced cybersecurity material & skills.
Implementing Cisco Cybersecurity This course prepares candidates to begin a career within a CCNA® Cyber Ops
Operations (SECOPS) Security Operations Center (SOC), working with
Cybersecurity Analysts at the associate level.
Securing Cisco Networks with Threat Designed for security analysts who work in a Security Cisco Cybersecurity
Detection and Analysis (SCYBER) Operations Center, the course covers essential areas of Specialist
security operations competency, including SIEM, Event
monitoring, security event/alarm/traffic analysis (detection),
and incident response
Cisco Security Product Training Courses Official deep-dive, hands-on product training on Cisco’s
latest security products, including NGFW, ASA, NGIPS,
AMP, Identity Services Engine, Email and Web Security
Appliances, and more.
For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com
Questions? Visit the Learning@Cisco Booth

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Cybersecurity Cisco Education Offerings
Course Description Cisco Certification
New! CCIE Security 5.0 CCIE® Security

Implementing Cisco Edge Network Security Configure Cisco perimeter edge security solutions utilizing Cisco CCNP® Security
Solutions (SENSS) Switches, Cisco Routers, and Cisco Adaptive Security Appliance
(ASA) Firewalls
Implementing Cisco Threat Control
Solutions (SITCS) v1.5 Implement Cisco’s Next Generation Firewall (NGFW), FirePOWER
NGIPS (Next Generation IPS), Cisco AMP (Advanced Malware
Protection), as well as Web Security, Email Security and Cloud
Implementing Cisco Secure Access Web Security
Solutions (SISAS)
Deploy Cisco’s Identity Services Engine and 802.1X secure
Implementing Cisco Secure Mobility network access
Solutions (SIMOS)
Protect data traversing a public or shared infrastructure such as the
Internet by implementing and maintaining Cisco VPN solutions
Implementing Cisco Network Security Focuses on the design, implementation, and monitoring of a CCNA® Security
(IINS 3.0) comprehensive security policy, using Cisco IOS security features

For more details, please visit: www.cisco.com/go/securitytraining or http://learningnetwork.cisco.com


Questions? Visit the Learning@Cisco Booth

BRKSEC-3001 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy