IPSec Project

1
IPSec Project

• 10/31/2006
• Ronghua (Ron) Wang

2
Internet Protocol Numbers
3
Key Assumptions

• Symmetric keys can be manually set instead of
  using IKE
• Key management is host-based or protocol-based
  depending on students policy

4
What you need to do in demo
Computer3 192.168.10.3
Computer4 192.168.10.4
add_key s 192.168.10.1 d 192.168.10.3
i 5555k 2345678901
Non-Secure communication
Computer2 192.168.10.2
Computer1 192.168.10.1
Secure communication
add_key s 192.168.10.1 d 192.168.10.2
-i 4444 k 1234567890 add_key s 192.168.10.1
d 192.168.10.3 -i 5555 k
2345678901 print_key d 192.168.10.2 print_key -a
add_key s 192.168.10.1 d 192.168.10.2
-i 4444 k 1234567890 print_key d
192.168.0.1 del_key d 192.168.10.1
5
System Architecture
6
Modularize project

• Key management maintain key table in kernel
  ipsec_print_entry(sec_ent) ipsec_add_entry(sec_
  ent) ipsec_del_entry(sec_ent)
• Process outgoing packets in ip_write.c
  IpSecOut(packet, key)
• Process incoming packets in ip_read.c
  IpSecIn(packet, key)

7
Components
8
Key Management

• Providing interfaces for key management
• Command line commands
• setkey s 192.168.10.1 d 192.168.10.2 i 5598 k
  1234567890
• delkey s 192.168.10.1 d 192.168.10.2 i 5598
• prkey s 192.168.10.1
• The command files are stored at the directory of
  /usr/src/commands/simple

9
Implement Key Table

• Protecting keys
• Where to put the keys?
• What kind of structures to store the keys?
• The key idea to implement set key when inet
  server bootup, create a static struct array in
  kernel, which maintain the peer IP address and
  corresponding key if host-based policy is
  applied.
• System calls

10
References

• /usr/src/commands/simple/pr_routes.c
• /usr/src/commands/simple/add_routes.c
• /usr/src/inet/generic/ip_ioctl.c
• /usr/src/inet/generic/ip.c

11
Sample data structures to store keys

• define MAX_KEY_LEN 32 / in bytes /
• typedef struct key
• ipaddr_t ikt_src
• ipaddr_t ikt_dest
• unsigned char ikt_keyMAX_KEY_LEN
• int index_spi
• int ikt_keylen
• int ikt_flag
• key_t

12
IPSec Functionalities

• IPSEC is implemented in IP layer before
  fragmentation.
• Outgoing IP packets are processed in ip_write.c
• All incoming IP packets sent to up layer
  (TCP/UDP) are processed in ip_read.c

13
ESP Tunneling Packet Format
14
Checklist for Outgoing Packets

• Check whether IP packets need to be processed
• Construct new IP header
• Construct ESP header
• Calculate the size of encryption block and pad it
• Encrypt (padded data)
• Do HMAC (ESP headerencrypted data, key) to
  calculate hash value and save it in ESP tail
• Add new IP header, do checksum and send new
  packet to next layer

15
Implementation
Example IpSecOut(pack, key)
ESP auth
new IP hdr
ESP hdr
ESP pad
16
Checklist for Incoming Packets

• Check whether the IP packet need IPSEC processing
• Do HMAC(IP_data, key) to calculate hash value, do
  authentication
• Decrypt data block
• Delete padding to get original data
• Now original data is the original old IP header
  data, do IP header verification and send it to
  upper layer

17
Sample data structure for ESP header / tailer

• typedef struct esp_hdr
• u32_t eh_spi
• u32_t eh_id
• esp_hdr_t
• typedef struct esp_auth
• u32_t ea_dgst4
• esp_auth_t

18
How to implement padding

• We use AES encryption in IPSEC, in which data
  must be encrypted as data chunk with 16 bytes
  unit.
• If data is not multiple of 16, we need to padding
  data after it, and saving how many bytes we have
  padded, which will be used to restore original
  data in decryption.
• Sample data structure
• typedef struct esp_tail
• u8_t et_pad_len
• u8_t et_proto
• esp_tail_t

19
Issue How to handle large packets

• The max size of IP packet is 64K Bytes
• In Minix, IP_MAX_PACKSIZE (40,000) Bytes defined
  in /usr/include/net/gen/in.h
• IPSEC brings more overload, the size of new
  overload New IP header(20) ESP header(8)
  padding(lt16) ESP tail (16) lt 60 Bytes
• 40000-6439936

20
How to avoid frequent crash

• Shell script /usr/src/inet/compilemv
  /usr/bin/inet /usr/bin/inetestmake install
• Press ESC during bootup, enter boot
  monitord0p0s0gtserversinetest (default
  inet)d0p0s0gtboot

21
How to avoid frequent crash

• If recompile all the kernel, including kernel, fs
  mm, run make hdboot under /usr/src/tools.
  The new-compiled minix kernel is to put as
  /minix/2.0.4rx (original 2.0.4, 1st new 2.0.4r0,
  then 2.0.4r1, and so on). In boot
  monitord0p0s0gtimage/minix/2.0.4rxd0p0s0gtboot
• Then we can select the certain kernel image to
  boot up.

22
Some Errors in debugging

• Be careful to use pointer before allocate memory
  for it
• If system seems OK at first, but crash after a
  while, mostly caused by fail to free unused
  memory
• If finish the project, could ping but fail to
  ftp, change the local buffer size you allocated
  for encryption/decryption. The size is subtle for
  system running, even it is local variable

23
My suggestions

• Do it yourself! Do not rely on others!
• If you work in a team, coordinate your work well
• Start early! As early as possible!
• Need to understand how system works
• Need to read a lot of codes
• Ask questions!
• Ask TA, ask your fellow students

24
Help sessions for IPSec project

• I will hold help sessions twice a week
• Time
• Monday 200400pm
• Thursday 200400pm
• Location TBD
• Each week will focus on one topic
• That is, you can just attend one session in a
  week
• Feel free to email me
• I will try my best to help
• Good luck to all!