Ni?
`
`\"vUrirx Uni"ur
`
`Principles and Practice
`
`(3RYP'I‘(')GHAP} lY
`
`Scruml lidiliun
`
`New Bay Capital, LLC
`Ex.1007-Page 1 of 45
`
`

`

`
`
`
`
`
`
`
`
`CRYPTOGRAPHY AND
`
`NETWORK SECURITY:
`
`
`
`
`ILI'
`
`£1!
`
`E
`
`'
`
`
`
`
`
`
`h.HI‘AI'vufllu“:-Lihl9:”:>‘II"I'-A'l'lllll...
`
`SECOND EDITION
`
`
`
`
`
`
`
`William Stallings
`
`
`
`
`
`
`
`
`
`
`Prentice Hall
`
`Upper Saddle River, New Jersey 07458
`
`
`
`
`
`
`New Bay Capital, LLC
`
`WWW-Page 2 of 45
`
`
`
`
`
`
`
`New Bay Capital, LLC
`Ex.1007-Page 2 of 45
`
`

`

`
`
`
`
`
`“f
`
` Llhmy at Coupes: Cataloging-h-l'uhllntlou Data
`
`
`
`93—15676
`CIP
`
`
`
`
`Acquisitions edirar. Laura Steele
`Editorialfproducflon supervision: Rose Keman
`Editar-fn-chiefi Marcia Horton
`'
`Bayard Mendoza de Leon
`Copy editing: Patricia Daly
`Arr dlrccrar and cover designer. Heather Scott
`Director afpraa‘trcriort and manufacturing: David w. Rieeardi
`Manufacturing Buyer. Donna Sullivan and Pat Brown
`Edlt_orlal assismnr'. Catherine Kaibni
`
`i ' I g i 0
`
`Sraillngs. William.
`Cryptography and network security : principles and practitttr.f
`'
`- bled;
`
`p.
`cm.
`
`Rev. ed. at: Network and Inter-network Security.
`
`Includes bibliographiml relerenees and index.
`ISBN all-8690110
`1. amputer networks-Security nurtures.
`2. Data encryption
`
`'
`'
`4. Computer security.
`1. Stalliny. William. Cryptography and network security.
`
`II. Title.
`“510.559.5713 1998
`Mia—dell
`
`
`i999. 1995 by Prentice-Hail. Inc.
`Upper Saddle River. New Jersey 07458
`
`
`
`A.M-‘ahyg-u4.u’.
`
`
`
`The author and publisher at“ this book have used their best efforts in preparing this book. These eflons include the
`development. research, and testing ofihe theatres an
`publisher make no warranty of any kind. expressed or implied. with regard to these programs or the documentation
`sequential
`enntained in this book. The author and publisher shall not be liable in any event for incidental or can
`damages in mnnccu'un with. or arising out of, the furnishing. performancc. or use of lime programs.
`
`
`All righl reserved. No part at this boat may be repmduced. in any form as by any means.
`without permission in writing from the publisher.
`
` Printed in the UnrtecfSrates of America
`109876
`
`
`
` ISFN fi-lB-bb‘ffil?rfl
`
`
`
`
`Prentice-Hall at Australia Pry. Limited. Sydney
`Prentice-H all of Canada. lne. Tomrrm
`
`—Ermamr India Private Limited.New Delhi
`
`Prentice-Hal! 0! Japan. Inc.. Tokyo
`Pearson Education Asia Pte. Ltd.. Singapore
`Ediiou Prentice-Hall dn BIBS“. lefl.. Rio dtJMeirv
`
`
`
`
`
`New Bay Capital, LLC
`WWW-Page 3 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 3 of 45
`
`

`

`
`
`
`
`
`
`
`“T313
`
`
`
`
`
`
`
`
`
`
`
`
`lfa secret piece of news is divulged by a spy before the time is ripe, he must be put to
`death. together with the man to whom the secret wasteful.
`
`—¥keArtquar, Sun'qu
`
`
`
`The internet community has developed application-specific security
`
`mechanisms in a number of application areas. including electronic
`mail (SIMIME, PGP), clientlserver (Kerberos), Web access (Secure
`
`Sockets Layer). and others. However, users have some security concerns that
`cut across protocol layers. For example, an enterprise can run a secure, pri-
`vate TCP/l? network by disallowing links to untrusted sites. encrypting-
`packets that leave the premises, and authenticating packets that enter the
`
`premises. By implementing security at the IP level, an organization can
`ensure secure networking not only for applications that have security mech-
`anisms but for the many security-ignorant applications.
`lP~level security encompasses three functional areas: authentication,
`
`confidentiality. and key management. The authentication mechanism assures
`
`that a received packet was. in tact. transmitted by the party identified as
`the source in the packet header. In addition, this mechanism assures that the
`packet has not been altered in transit. The confidentiality facility enables
`
`communicating nodes to encrypt messages to prevent eavesdropping by
`
`third parties. The key management facility is concerned with the secure
`exchange of keys.
`We begin this chapter with an overview of [P security (IPSec) and an
`
`introduction to the lPScc architecture. We then look at each of the three func-
`
`tional areas in detail.’ The a upendix to this chapter reviews internet protocols.
`
`'As of this writing. many of the lPSec specifications are in Internet Draft form and subject .lo
`
`stable. but some of the details may change.
`
`New Bay Capital, LLC
`WWW-Page 4 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 4 of 45
`
`

`

`400 CHAPTER 13 I lP SECURITY
`
`13.1 [P SECURITY OVERVIEW
`
`
`
`in
`‘- r'
`-.
`--'
`. w;
`.A:
`'.
`-:.. . a;
`in 1994,1heinternetArchi-
`the internet Architecture" (RFC 1636). The report stated the general consensus that
`the Internet needs more and better security. and it identified key areas for security
`mechanisms. Among these were the need to secure the network infrastructure from
`un author‘
`needto secure end-
`user-to-end—user traffic using authentication and encryption mechanisms.
`These concerns are fully justified. As confirmation, the 1997 annual report
`from the Computer Emergency Response Team (CERT) lists over 2500 reported
`
`security '
`'
`.
`.
`mos serious types of attacks
`
`Winninehammdermmets wfih false lP addresses and
`exploit applications that use authentication based on IP: and various forms of eaves-
`dropping and packet sniffing, in which attackers read transmitted information,
`
`
`mmpmnmnm. the HE included authentication and encryption as
`necessary security features in the next-generation 1P. which has been issued as IPv6.
`Fortunately, these security capabilities were designed to be usable both with the cur-
`
`rent
`.
`'
`ns
`at vendors can begin offering these fea-
`
`now ave some IFSec capability in their products.
`
`.
`
`Applications of IPSecz
`
`, .cross prl-
`-
`.
`i
`.- .-
`'
`.
`, .'
`- 1.. ..
`lPSec provides the capability to -
`vets and public wide area networks (WANs). and across the Internet. Examples of
`its use include the foliowing:
`
` * Secure branch office connectivity over the mumps-Hy can bend a
`secure virtual private network over the lnlernet or over a public WAN. This
`enables a business to rely heavily on the Internet and reduce its need for pri~
`vate networks. saving costs and network management overhead.
`
` 0 Secure remote ac : system is equipped
`
`with IP security protocols can make a local cal! to an Internet service provider
`(ISP) and gain secure access to a company network. This reduces the cost of
`toll charges for traveling employees and telecommuters.
`- EstablishingWWW partners: IFSec can be
`used to mwmmunieanen with other organizations, ensuring authentica-
`tion and confidentiality and providing a key exchange mechanism.
`- Enhancing electronic commerce security: Even though some Web and elec-
`
`Wmeflmmereeappheafimhwe built-in security protocols, the use of IPScc
`
`enhancestha’rseeurhy.
`
`The principal feature of IPSec that enables it to support these varied appli-
`cations is that it can encrypt andlor Mbetfireatemifiraffi—c—ai the “Novel. Thus. all
`
`2'This subsection is based on material
`in IP Security Whitepnper.
`from CyLAN chhnoingir»
`htInd/www.cylan.comifileslwhpaperhtm. 19¢?
`
`
`New Bay Capital, LLC
`WWW-Page 5 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 5 of 45
`
`

`

`
`
`
`
`
`13.1 1" IP secunrrv OVERVIEW 401
`
`User system
`
`*
`mm—
`.
`[-1
`““1"“
`Public {Internet}
`
`:L;: g
`or private
`network
`
`”1
`
`i ;
`
`
`
`
`
`
`with "’31:: “‘- L
`IP
`period
`
` IF
`
`hinder
`
`Figure 13.1 An IP Security Scenario.
`
`
`
`distributed applications including remote logon ciientlserver e-mail file transfer.
`'1'
`Web access. and so on, can be secured.
`;
`Figure 13.1 is a typical scenario of IPSec usage. An organization maintains
`
`E
`LANs at dispersedWWW on each LAN. For
`3
`traffic off site through some sort of private or public WAN IPScc protocols are
`:-
`used. These protocols operate in networking devices. such as a router or firewall,
`I
`that connect each LAN to the outside world. The IPSec networking device will
`
`typicaflyencryptandmmpmsulLuaIflLgoingmtotheWAN,anddeeryptand
`decompress traffic coming from the WAN; these operations are transparent to
`workstations and servers on the LAN. Secure transmission is also possible with indi-
`vidual users who dial into the WAN. Such user workstations must implement the
`
`lBSecptotocolstoprowiesecumy
`
`
`i i
`
`Benefits of IPSec
`
`
`[MARK97] lists the following benefits of IPSec:
`
`
`I When IPSec is implemented in a firewall or router, it provides strong security
`that can be applied to all traffic crossing the perimeter. Traffic within a com-
`pany or workgroup does not incur the overhead of security--reiated processing.
`
`lPSec 1naf1rewall1s resistant lob ass ifall traffic 1
`1
`1~ .
`- '-- u
`
` I
`
`
`
`iP and the firewall'is the only means of entrance from the Internet into the
`. organization.
`
`
`
`New Bay Capital, LLC
`WWW-Page 6 of 45
`
`
`
`New Bay Capital, LLC
`Ex.1007-Page 6 of 45
`
`

`

`
`
`
`402 cream 13 r’ [P SECURITY
`
`'
`
`lPSec is implemented in the firewall or router. Even if IPSec is implemented
`in end systems. upper-layer software, inciuding applications, is not affected.
`-
`IPSec can be transparent to end users. There is no need to train -
`' a . .
`-
`rity mechanisms, issue keying material on a per-user basis, or revoke keying
`material when users leave the organization.
`
`- IPSec can provide security for individual users if needed. This is useful for off-
`SlIC.I.'I.:II 0
`’IL -,m '
`.;
`.s-'
`e H"-.'e::‘
`zation for sensitive applications.
`'
`
`Routing Applications
`
`.Itll‘,llg:n_:_‘_;u i.e.-.= 1
`‘
`lnadditions-u li'll
`JPSec can play a vital role in the routing architecture required for internetworking.
`[HUIT93] lists the following examples of the use of IPSec. IPSec can assure that
`
`
`. A router advertisemenrfarnewrromeradverfises its preaence) comes from an
`authorized router.
`
`
`
`' A neighbor advertisement {a router seeks to establish or maintain a neighbor
`relationship wfih a router m another routing domain) comes from an autho-
`rized router.
`'
`
`0 A redirect message comes from the router to which the initial packet was sent.
`- A routing update is not forged.
`
`Without such security measures. an opponent can disrupt communications or
`divert some traffic. Routing protocols such as OSPF should be run on top of secu-
`rity associations between routers that are defined by IPSec.
`
`
`
`The IPSec specification has become quite complex. To get a feel for the overall
`architecture, we begin with a look at the documents that define IPSec. Then we dis-
`cuss IPSec sewices and introduce the concept of security association.
`
`
`IPSec Documents
`
`In August 1995, the IETF published five security-related PrOposed Standards that
`defifiearsecuntytapabflityrm the internet level:
`
`- RFC 1825: An overview of a security architecture
`- RFC 1826: Description of a packet authentication extension to IP
`
`0 RFC 1828: A specific mthenticetionmechanism
`
`0 RFC 1827: Description of a packet encryption extension to IP
`.- RFC 1829: A specific encryption mechanism
`
`
`
`
`
`New Bay Capital, LLC
`
`WWW-Page 7 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 7 of 45
`
`

`

`
`
`
`
`
`
`13.2 1 1? SECURITY ARCHITECTURE 403
`
` AH
`
`protocol
`
`
`
`
`
`II Authenlication
`
`
`
`Architecture
`
`algorithm
`
` ll Encryption
`
`
` Key
`
`'I
`
`algorithm
`
`
`
`management
`
`Figure 13.2
`
`lPSec Document Overview.
`
`Support for these features is mandatory for IPv6 and optional for va4. In both
`cases. the security features are implemented as extension headers that follow the
`main JP header. The extension header for authentication is known as the Authen-
`tieation header; that for encryption is know: as the EncapSulating Security Payload
`
`
`(ESP) header.
`
`Since this initial set of documents, a great deal of work has been done within
`the 1? Security Protocol Working Group set up by the [EFF The documents are
`
`
`divided into seven groups. as depicted in Figure 13.2:
`
`
`0 Architecture: Covers the general concepts. security requirements.
`and mechanisms defining lPSec technology.
`
`I Encapsulating Security Payload (ESP): Covers the packet format and general
`issues related to the use of the ESP for packet
`authentication.
`
`' Authentication Header (AH): Covers the packet format and general issues
`related to the use of AH for packet authentication.
`
`In': ---.‘..-. ' I‘III; _I
`
`
`New Bay Capital, LLC
`
`
`
`WWW-Page 8 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 8 of 45
`
`

`

`
`
`
`404 CHAPTER. 13 / 1? SECURITY
`
`
`
`' Authentication Algorithm: A set of documents that describe how various authen-
`tication algorithms are used for AH and for the authentication option of ESP.
`0 Key Management: Documents that describe key management schemes.
`
`- Bomnmfimerlmnnfion (DOD: Contains values needed for the other docu-
`ments to relate to each other. These include identifiers for approved encryp-
`tion and authentication algorithms, as well as operational parameters such as
`key lifetime.
`
`IPSec Services
`
`lPSec provides security services at the 1? layer by enabling a system to select
`
`WWWoledetennmefiefigcmwo use for the scrvice(s). and
`
`put in
`provi e the requested services.
`Two protocols are used to provide security: an authentication protocol designated
`by the header of the protocol, Authentication Header (AH); and a combined
`
`memumeeficmnWfimW by the format of the packet for that
`WW Secnrity Payload (ES?) The services are as follows:
`
`
`
`'- Access control
`
`
`0 Wu authentication
`- Rejection of replayed packets (a form of partial sequence integrity)
`' Confidentiality (encryption)
`
`-z'1tsn
`u
`
`
`
`r
`
`Table 13.] shows which services are provided by the AH and ESP protocols.
`For ESP, there are two cases: with and without the authentication option. Both AH
`and ESP are vehiclesjorMW of cryptographic
`keys and the management of traffic flows relative to these security protocols.
`
`Security Associations
`
`nisms for IP is the security association (SA). An association is a one-way relation-
`ship between a sender and a receiver that affords security services to the traffic
` Table 133
`IPSec Services
`
`W E
`
`SP (encryption
`ESP (encryption
`
`
`plus authentication) Access control AH only)
`
`
`
`
`Connectionless integrity
`Data origin authentication
`
` WWW
`
`
`Cfifidentiafity
`Limited trafficlflow
`confidential“
`
`
`
`
`
`New Bay Capital, LLC
`WWW-Page 9 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 9 of 45
`
`

`

`
`
`
`13.2 / 1P SECURITY ARCHITECTURE 405
`
`carried on it. If a peer relationship is needed. for two-way secure exchange. then two
`security associations are required. Security services are afforded to an SA for the
`use of AH or ESP, but not both.
`A security association is uniquely identified by three parameters:
`
`- Security Parameters Index (SP1): A bit string assigned to this SA and hav-
`ing local significance only. The SP1 is carried in AH and ESP headers to
`enable the receiving system to select the SA under which a received packet
`will be processed.
`0 1? Destination Address: Currently. only unicast addresses-are allowed: this is
`
`the address of the
`'
`‘
`end oint of the SA which may be an end user
`
`systemhLahcrwoflLsystern such use firewall or router.
`- Security Protocol Identifier: This indicates whether the association is an AH
`or ESP security association.
`
`
`I]
`',
`IF
`1
`‘3”
`u
`r
`u
`l
`u
`I
`1!
`Iofi 1'
`[ha
`Destination Address in the IPv4 or IPv6 header and the SP! in the enclosed exten-
`
`sion header (AH or ESP).
`
`
`SAP—’arametees
`
`
`
`
`
`in each IPSec implementation, there is a nominal“ Security Association Data-
`base that defines the parameters associated with each SA. A security association is
`normally defined by the following parameters:
`
`9 Sequence Number Counter: A 32-bit value used to generate the Sequence
`Number field in AH or ESP headers, described in Section 13.3 (required for
`
`all implementations).
`0 Sequence Counter Overflow: A flag indicating whether overflow of the
`Sequence Number Counter should generate an auditable event and prevent
`further transmission of packets on this SA (required for all implementations).
`
`- WWW whether anjnbound AH or ESP
`packet is a replay, described in Section 13.3 (required for all implementations).
`0 AH Information: Authentication algorithm, keys. key lifetimes. and related
`parameters being Used with AH (required for AH implementations).
`
`" K'-
`IIOII'IIBolI. "III . l'l
`'
`.
`e
`..-e
`
`:rr':i
`
`-
`
`'
`
`'
`
`r
`
`values. key lifetimes, and related n-
`for ESP implementations).
`' Lifetime of this Security Association: A time interval or byte count after
`which an SA must be replaced with a new SA (and new SPT) or terminated.
`plus an indication of which of these actions should occur (required for all
`implementations).
`
`
`
`"In this chapter, the term JP packer refers to either an IPv4 datagrarn or an IPv6 packet.
`“Nominal in the sense that the functionality provided by a Security Association Database must be present
`in any lPSec implemenation. but the way in which that functionality is provided is up to the implementor.
`
`
`
`
`
`
`New Bay Capital, LLC
`
`WWW-Page T0 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 10 of 45
`
`

`

`
`
`
`
`(06 CHAPTER 13 .111: SECURITY
`
`- IPSec Protocol Mode: Tunnel. transport, or wildcard (required for all imple-
`mentations). These modes are discussed later in this section.
`
`' Path MTU: Any observed path maximum transmission unit (maximum size of
`a packet that can be transmitted without fragmentation) and aging variables
`(required for all implementations).
`
`
`The key management mechanism thatis used to distribute keysis coupled to
`the authentication and privacy mechanisms only by way of the Security Parameters
`Index Hence authentication and privacy have been specified independent of any
`specif—kicey management mechanism.
`
`
`
`SA Selectors
`
`
`
`lPSecprovidestheuserwijhcon .- .1‘ i
`'
`1-
`'
`'
`-
`'
`
`services are applied to IP traific. As we wilLsce later. SAs can be combined'to a
`number of ways to yield the desired user configuration. Furthermore lPSec pro-
`vides a high degree of gra‘nullarity'In discriminating between traffic that'15 afforded
`IPSEEIO' O|1|I
`1
`It‘IOII.
`II'III',¢_',:,_
`
`
`ingIPtIafflctospecrfleSAs
`The means by which 1? traffic is related to specific SAS (or no SA in the case
`of traffic allowed to bypass IPSec) is the nominal Security Policy Database (SPD).
`In its simplest form, an SPD contains entries, each of which defines a subset of IP
`
`unificandPQiMstoanSAlorthmtraifie.lnmoreeempleaeenyironments,there
`may be multiple entries that potentially relate to a single SA or multiple SAs asso-
`ciated with a single SPD entry. The reader is referred to the relevant lPSec docu-
`ments for a full discussion.
`
`i 1:1’
`'
`- i
`-
`:-
`' H: -H' =-v'
`EaehSPDentrylsdefinedhyasetof
`called selectors. in effect these selectors are used to filter outgoing trafficin order
`to map it into a particular SA. Outbound processing obeys the following general
`sequence for each IP packet:
`
`
`1. Compare the values of the appropriate fields in the packet (the selector
`fields) against the SPD to find a matching SPD entry, which will point to zero
`or more SAs.
`
`2. Determine the SA if any for this packet and its associated SP1.
`3. Do the required lPSec processing (i.e., AH or ESP processing).
`
`
`TheioflowingselectorsdetermineehSPDentryz
`
`
`0 Destination [P Address: This may be a single IP address an enumerated list
`or range of addresses or a wildcard (mask) address The latter two are
`manneron system sharing the same SA
`feug.behnrdafiTew—ali).
`
`- Source IP Address: This may be a single IP address. an enumerated list or range
`of addresses. or a wildcard (mask) address. The latter two are required to sup-
`port more than one source system sharing the same SA (e.g.. behind a firewall).
`
`
`
`New Bay Capital, LLC
`Ex.1007-Page ’H of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 11 of 45
`
`

`

`ating system as the user.
`' Data Sensitivity Level: Used for systems providing information flow security
`(e.g.. Secret or Unclassified).
`0 Transport Layer Protocol: Obtained from the va4 Protocol or IPv6 Nest
`Header field. This may be an individual protocol number. a list of protocol
`numbers. or a range of protocol numbers.
`- lPSecProtocol (AH orESPorAl-IIESPLUI .
`IPv4 Protocol or IPv6 Next Header field.
`- Source and Destination Ports: These may be individual TCP or UDP port val,
`ues. an enumerated list of ports. or a wildcard port.
`
`- ‘-
`
`-.'.
`
`' s;
`
`=--
`
`--
`
`- va6 Flow Label: Obtained from the IPv6 header. This may be a SpeCific IPv6
`Flow Label value or a wildcard value.
`0 IPv4 Type ofiervice (T05): Obtained from the IPv4 headeL This may be a
`specific IPVJTOS value or a wildcard value.
`
`
`
`
`
`
`
`13.2 r 11> SECURITY ARCHITECTURE 407
`
`
`
`. UserlD: A user'identifier from the operating system. This is not a field in the
` LP or upper-layerWWW same oper-
`
`Transport and Tunnel Modes
`
` Beth Pei-land BSFS‘upporttwo—rrrorles of use: transport and tunnel mode. The oper-
`ation of these two modes is best understood in the context of a description of AH
`and ESP. which are covered in Sections 13.3 and 13.4, respectively. Here we provide
`a brief overview.
`
`Transport Mode
`
`Transport mode provides protection primarily for upper-layer protocols. That
`is. transport mode protection extends to the payload of an IP packet.
`7 ,
`z
`-- e
`:
`include a TCP or UDP segment or an Internet Control Message Protocol {ICMP)
`packet, all of which operate directly above IP in a host protocol stack. Typically,
`transport mode is used for end-to-end communication between two hosts (e.g.. a
`client and a server, or two workstations). When a host runs AH or ESP alter IPv4.
`the payload is the data that normally follow the IP headerLFor IP .
`.
`- ..
`, :. !
`'
`the data that normally follow both the IP header and any IPv6 extensions headers
`that are present, with the possible exception of the destination options header.
`which may be included in the protection.
`e z a
`' e.
`-
`-
`-
`:
`‘
`v
`l
`,
`ESP in transport mode encrypts and optionally .
`but not the IP header. AH in transport mode authenticates the [P payload and
`selected portions of the IP header.
`
` Tenn—eHVIode
`
`Tunnel mode provides protection to the entire 1? packet. To achieve this, after
`the AH or ESP fields are added to the 1P packet. the entire packet plus security
` fields is treated as the payload atheist “outer" 1P packet withaneweuter H’ header.
`Theentireoriginal.orinne
`n.
`.-
`:-
`.
`-
`.. “
`"
`=-- =-- aa- i:
`
`
`
`New Bay Capital, LLC
` WWW-Page T2 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 12 of 45
`
`

`

`
`
`
`
`
`408 CHAPTER 13 l [1’ SECURITY
`
`
`Table 13.2 Tunnel Mode and Transport Mode Functionality
`
`WWW
`
`
`
`
`
`
`Transport Mode SA
`
`Tunnel Mode SA
`
`
`
`Authenticates entire inner lP
`packet (inner header plus IP
`payload) plus selected portions
`of outer lP header and outer
`
`
`
`
`
`
`.
`selected portions of [P header
`and va6 extension headers.
`
`
`
`
`_lollowin_g the ESP header.
`
`
`
`
`Encrypts IP payload and any
`Encrypts inner 1P packet.
`
`
`"- -'- .. Wars
`Authenticates inner lP packet.
`
`FBHGWngtheESPheader.
`
`
`Authenticnles lP payload but
`not I? header.
`
`
`
`PP network toenother; no routers along the way are able to examine the inner iP
`header. Because the original packet is encapsulated. the new. larger packet may
`have totally different source and destination addresses, adding to the security. Tun-
`nel mode is used when one orborh ems of an SA 15 a security gateway, such as a
`firewall or routerthah‘mpiements fPSec. With tunnel mode. a number of hosts on
`networks behind firewalls may englge in secure communications without imple-
`menting lPSec. The unprotected packets generated by such hosts are tunneled
`through external networks by tunnel mode SAs set up by the IPSec software in the
`firenaH orsecuroronterarthe honmlary ofthe local network.
`Here is an example of how tunnel mode IPSee operates. Host A on a network
`generates an 1? packet with the destination address of host B on another network.
`This packet is routed from the originating host to a firewall or secure router at the
`'—boundaryfi‘nmk. The firewall filters all outgoing packets to determine the
`need for IPSec processing. If this packet from A to B requires IPSec, the firewall
`performs IPSec pracessing and encapsulates the packet in an outer lF header. The
`source 1? address of this outer IP packet is this firewall. and the destination address
`marbe a firewall that forms the boundary to 8‘5 local network. This packet is now
`routed to 8'5 firewall. with intermediate routers examining only the outer IP
`header. At B’s firewall. the outer [P header is stripped off, and the inner packet is
`delivered to B.
`
`Encrypts lP payload and any
`IPv6 extension headers
`
`va6 extension headers
`Encrypt: inner IP packet.
`
`
`
`
`ESP in tunnel mode encrypts and optionally authenticates the entirejnner 1P
`packet. including the inner IF header. AH in tunnel mode authenticates the entire
`inner 1P packet and selected portions of the outer lP header.
`Table i3.2 summarizes transport and tunnel mode functionality
`
`13.3 AUTHENTICATION HEADER
`
`
`
`..___.-_...._-__._.
`
`
`'
`'.'
`..,-- .'
`..=- ai:;";'uI=l"nl0310'1
`
`
`
`of IP packets. The data integrity feature ensures that undetected modification to a
`packet‘s content in transit is not possible. The authentication feature enables an end
`
`-._.'_-..e
`
`
`
`
`New Bay Capital, LLC
` WWW-Page T3 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 13 of 45
`
`

`

`
`
`
`13.3 I AUTHENTICATION HEADER 409
`
`system or network device to authenticate the user or application and filter traffic
`accordingly; it also prevents the address spoofing attacks observed in today's Inter-
`
`net. The AH also guards against the replay attack described later in this section.
`Authentication is based on the use of a message authentication code (MAC).
`as described in Chapter 8; hence the two parties must share a secret key.
`The Authentication Header consists of the following fields (Figure 13.3):
`
`
`- Next Header (8 bits): Identifies the type of header immecfiately following
`this header.
`
` -..—---..-—...-...
`I Payload Length (8 bits): Length of Authentication Header in 32-bit words,
`minus 1mm of the authentication data field is 96
`
`
`hits, or three 32-bit w
`With a three-word fixed header there are a total
`
`.;_n:--u_..
`of six words in the header. and the Payload Length field has a value of 4.
`
`0 Reserved (16 bits): For future use.
`..._._,_-.._..,._
`_5 ..' H 3“,“! .F. .
`
`
`
`'- Sequence Number (32 Hits): A monotonically increasing counter value, dis-
`cussed later.
`
`- Authentication Data (variable): A variable-length field (must be an integral
`
`number of 32-bit words) that contains the integrity Check Value (ICV). or
`MAC. for this packet. discussed later.
`
`
`
`
`
`Anti-Replay Service
`
`
`
`an a so or 0 sins a copy 0
`A replay attack is one in w to
`packet and later transmits it to the intended destination. The receipt of duplicate.
`authenticated IP packets may disrupt service in some way or may have some other
`
`undesired consequence. The Sequence Number field is designed to thwart such
`attacks. F1rst. we tfiscuss sequence number generation by the sender. and then we
`look at how it is processed by the recipient.
`When a new SA is established. the sender initializes a sequence number
`
`counter to 0. Each time that a packet is sent on this SA. the sender increments the
`counter and places the value in the Sequence Number field. Thus. the first value to
`
`
`
`.1;..,.,,.u-.a
`
`
`
`3.1
`16
`.
`s
`0
`Bit:
`
`
`
`
`
`
`
`
`Authentication Data (variable)
`
`Figure 13.3 lPSee Authentication Header.
`
`
`
`
`
`New Bay Capital, LLC
`WWW-Page 14 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 14 of 45
`
`

`

`
`
`
`410 CHAPTER 13 / [P SECURITY
`
`Advance window if
`valid packet to the
`right is received
`
`.
`
`Fixed window size W
`‘——--————_—_.___—'
`
`
`
`
`
`
`
`
`N - W
`
`N + l
`
`Unmnrked If valid
`Marked ll' valid
`whammy-emcee
`packet received
` Figure 13.4 Anti-Replay Mechanism.
`
` be usedcis 1. if anti-replay is enabled (the default), the sender must not allow the
`
`sequencenumber to cycle past 25’2 - 1 back to zero. Otherwise, there would be mul—
`\
`tiple valid packets with the same sequence number. If the limit of 232 — l is reached
`the sender should terminate this SA and negotiate a new SA with a new key.
`
`Because iPis a connectionless. unreliable service. the protocol does not guar-
`WWW be delivered in order and does not guarantee that all pack-
`ets will be delivered. Therefore, the lPSec authentication document dictates that the
`receiver should implement a window of size W, with a default of W = 64. The right
`edge of the window represents the highest sequence number, N. so far reocivedior
`a valid packet. For any packet with a sequence number in the range from N — W +
`l to N that has been correctly received (i.e., properly authenticated). the corre-
`sponding slot in the window is marked (Figure 13.4). Inbound processing proceeds
`as follow when a packet is received:
`
`
`
`1. If the received packet falls within the window and is new, the MAC is checked.
`If the packet is authenticated, the corresponding slot in the window is marked.
`2. If the received packet is to the right of the window and is new, the W is
`checked. If the packet is authenticated. the window is advanced so that this
`sequence number is the right edge of the window, and the corresponding slot
`in the window is marked.
`
`3. i a ion sits, the
`‘l
`u
`I.
`I
`I‘
`l .
`n
`l.
`I
`I
`'
`’
`
`
`
`Integrity Check Value
`
`
`The Authentication Data field holds a value referred to as the integrity Cheek
`Value. The ICV is a message authentication code or a truncated version of a code
`produced by a MAC algorithm. The current specification dictates that a compliant
`implementation must support
` 0 HMAGMDS-96
`' HMAC—SHA-l-96
`
`
`
`
`
`
`New Bay Capital, LLC
` WWW-Page T5 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 15 of 45
`
`

`

`
`
`
`
`
`13.3 / AUTHENTICATION HEADER 411
`
`Both of these use the HM AC algorithm. the first with the MD5 hash code and the
`second with the SHA-l hash code (all of these algorithms are described in Chapter
`9). In both cases, the full HMAC value is calculated but then truncated by using the
`first 96 bits, which IS the default length for the Authentication Data field.
`The MAC is calculated over the following:
`
`- 1P header fields that either do not change in transit (immutable) or that are
`predictable in value upon arrival at the endpoint for the AH SA. Fields that
`may change in transit and whose value on arrival are unpredictable are set to
`zero for purposes of calculation at both source and destination.
`- The AH header other than the Authentication Data field. The Authentica-
`
`
`tion Data field is set to zero for wwwm SDJLLCE and
`destination.
`
`I The entire upper-level protocol data. which is assumed to be immutable in
`
`transittegua'FCPsegmentoraninnerthaeketintunnelmedea.
`
`For IPv4 examples of immutable fields are internet Header Length and
`Source Address. An example of a mutable but predictable field'15 the Destination
`
`
`Addresséwithloosemstrielsoureemuhngffixamplesofmutabiefieidsdrflam
`
`
`Note that both source and destination address fields are protected. so that address
`Spoofing is prevented.
`For ‘Pv6 examples in the base header are Version (immutable) Destina-
`mmmmmwmmmmmmmmmmr
`calculation)
`
`Transport and Tunnel Modes
`
`Figure 13.5 shows two ways in which the lPSec authentication service can be used.
`in one case, authentication is provided directly between a server and client work-
`stations; the workstation can be either on the same network as the server or on an
`
`
`
`
`
`End-In-end
`
`
`
` End-tn—end
`
`
`authentication
`
`
`
`Figure 13.5 End—to-end versus End~to-intermediate Authentication.
`
`
`
`
`New Bay Capital, LLC
`Ex.100 7-Page T6 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 16 of 45
`
`

`

`
`
`
`412 CHAPTER 13 / [p SECURITY
`
`
`
`extant-In linden:
`orig IP
`IPv6
`
`
`Mr
`{If present!
`
`
`
`
`
`(it! Before Ipplyhig AH
`
`Huthanllcnted except for mutabie “IMH
`
`
`
`
`IPv1
`
`
`
`
`
`
`IPv6
`
`orig JP
`Mr
`
`
`hop-hymn. deal.
`
`routing. Ingram"
`
`(b) Transport mode
`
`
`Authenticated uee Her
`I
`I
`BEE-t in the new “E has"
`
`nrlg ll’men-u..
`
`Authenticated ext-e ll'or muhble fields in
`
`new il' header and its extension Euler:I I
`
`
`
`(c) Tunnel mud:
`
`Figure 13.6 Scope of AH Authentication.
`
`
`
`
`support the authentication feature. This case uses a tunnel mode SA.
` In this subsection, we look at the scopeWWW firH and
` the authentication header location for theWWW-
`what different for IPv4 and IPv6. Flgure 13.63 shows typical IPv4 and IPv6 packets.
`In this ease1 the IP payload is a TCP segment; it could also be a data unit for any
`other protocol that uses 1?. such as UDP or ICMP.
`For transport mode AH using IPv4, the AB is inserted miter the originai H”
`header and before the IP payload (est... a TCP segment); this is shown in the upper
`
`
`
`
`
`
`New Bay Capital, LLC
` WWW-Page T7 of 45
`
`New Bay Capital, LLC
`Ex.1007-Page 17 of 45
`
`

`

`
`
`
`13.4 / ENCAPS