26-11-2012, 02:53 PM
Dynamic Routing Inside IPsec VPNs
Dynamic Routing.ppt (Size: 592.5 KB / Downloads: 148)
IPsec topology background
The IPsec VPN model
What is an “IPsec Gateway’?
What are Tunnel and Transport Modes?
What’s a Security Association?
IPsec VPN topologies
Not host-to-host
Remote access VPN
Major focus: Multi-site, branch offices
Security Association (SA)
SA = All the information shared between two IPsec systems to establish secure communication
Selection of the security mechanisms:
ESP or AH protection
Ciphering algorithm
Hash function
Choice of authentication method
Authentication of the two parties
Choice of the ciphering and authentication keys
Security Policy Database
Applies to every packet
For each policy entry, includes:
Selectors
Destination IP Address
Source IP Address
Name
Transport Layer Protocol (protocol number)
Source and Destination Ports
The policy :
Discard the packet, bypass or process IPSec
For IPSec Processing :
Security Protocol and Mode
Enabled Services (anti-replay, authentication, encryption)
Algorithms (for authentication and/or encryption)
Link to an active SA in the SAD (if it exists)
The IPsec “routing problem”
Dynamic routing in VPNs is a requirement
Tunnel mode is incompatible with dynamic routing
draft-touch-ipsec-vpn-04.txt (IETF – http://www.ietfinternet-drafts/X)
draft-wang-cevpn-routing-00.txt
draft-knight-ppvpn-ipsec-dynroute-01.txt
WHY? Security Associations are created with selectors Tunnels have built-in “static routes”
SP and SA Database lookups do the “routing”
SA setup is orders of magnitude slower than routing change Dynamically changing SA due to routing updates doesn’t scale
Routing with VPN tunnels
What is a “VPN TUNNEL?”
An IPsec SA with NO effective address filters
May be IPsec tunnel mode or IP-in-IP over transport mode
It allows ANY IP traffic (unicast/multicast) to pass
It allows routing protocols to pass
Its end points are the IPsec gateway interfaces
It still protects all traffic with encryption
It is like an Ethernet, ATM, or Frame Relay “link” over the Internet, but secured by IPsec
Since you can’t use the IPsec tunnel definitions or “filters” to select destinations, you MUST route before putting the traffic into an IPsec “VPN tunnel”
Attacks on routing
Injection of routes inside a site
Malicious
Routing process running on compromised host or router
Redirect traffic toward a compromised system internal to trusted network
Redirect via default route over unprotected path through untrusted network
Misconfiguration
Advertising routes via unprotected path
Static routes configured in routers
Routed (routing daemon) running on unauthorized hosts