NIST IPSec and IKE Simulation Tool

To Model A Security Gateway

NOTE:
We assume that the reader is familiar with SSF/SSFNet and DML specification. Please refer http://www.ssfnet.org/SSFdocs/dmlReference.html for further information. An example of the complete NIIST specifications of an VPN environment that cosists of two security gateways and two or more hosts behind each gateway can be found in the Experiments Section.

Any router or host can be configured as a security gateway (SG). The SG must specify a protocol graph and security policy, including cryptographic functions, IKE security policy and IPSec policy. A protocol graph for the SG consists of a list of protocols to be configured: IKEManager (an IKE daemon), NiistSocketMaster (PF_Key API module), udpSessionMaster and IPSec (IP security module). Refer diagrams in Experiments Section. The user can set an optional attribute use_encrypt_delay to indicate whether or not the cryptographic delay is applied.

graph [
  cpudelay true
  ProtocolSession [name ike use SSF.niist.IKE.IKEManager
         _find .dictionary.ikeinit 
         _find .dictionary.ike_instrument
  ]
  ProtocolSession [name socket 
                   use SSF.niist.keyAPI.NiistSocketMaster]
  ProtocolSession [name udp 
                   use SSF.OS.UDP.udpSessionMaster ]
  ProtocolSession [name ip use SSF.niist.IPSec.IPSec 
        _find .dictionary.ipsecinit 
        _find .dictionary.ipsec_instrument
  ]
]
security [
  use_encrypt_delay     true

  # the global default lifetime values
  ike_lifetype SECONDS ike_lifeduration 2400
  user_ike_soft true ike_soft_threshold 85 ike_random_delay 10
  ipsec_lifetype SECONDS ipsec_lifeduration 800
  user_ipsec_soft true ipsec_soft_threshold 85 true ipsec_random_delay 10

  _extends .dictionary.crypto_delay 
  _extends .dictionary.ikespd
  ipsec_policy [
    ipsec_interface [ id 1
      _extends .dictionary.ipsec_spd
    ]
  ]
]

• ike[ipsec]_lifetype
• ike[ipsec]_lifeduration
• user_ike[ipsec]_soft a global flag that indicates whether or not the user provides soft_threshold and random_delay. If the value is false (default), the system-provided values are used.
• ike[ipsec]_soft_threshold the percentage (%) of expiration of lifetime of an existing SA, which triggers the re-negotiation of the SA for a replacement SA. The value of 0 means that no re-keying of the SA is allowed. The value of 100 means that the re-negotiation starts after the life duration of the existing SA has been expired.
• ike[ipsec]_random_delay It is used to adjust (jitter) the calculated soft time in order to prevent the simultaneous negotiation from both ends.

To Model Cryptographic Functions

The cryptographic algorithm processing delay is based on the function of the packet size and performance of a specific cryptographic algorithm provided with key length and block size. As shown below, the cryptographic function specification (cryptoEntry) takes the following attributes:

• id the algorithm identifier;
• use the location of a class that provides the cryptographic functions of the specific algorithm;
• block_size the block size;
• key_size the key size;
• the performance of encryption in either bytes/sec, kbytes/sec or Kbytes/sec;
• d_perf the performance of decryption in either bytes/sec, kbytes/sec or Kbytes/sec.

The example DML specification of the cryptographic functions is as follows:

crypto_delay [ 
  encrypt [
    cryptoEntry [ 
      id THREE_DES_CBC 
      use SSF.niist.cryptoDelay.THREE_DES_CBC_Delay
      block_size 8 key_size 24 e_perf 811K d_perf 810K
    ]
    cryptoEntry [ 
      id AES_CBC use default block_size 16
      key_size 16 e_perf 12500K d_perf 12500K ]
    # .. more entries
  ]
  # the time taken to sign and verify the digital signature in seconds.
  signature_delay [
    signature_entry [ id RSA sign 0.03  verify 0.002 ]
    signature_entry [ id DSS sign 0.017 verify 0.021 ]
  ]
  DH_exchange_delay [
    # modp 1024bit, 100ms 
    DH_group_entry [ id group2 delay 0.1 ] 
  ]
]

The encryption and decryption performances are separated to provide flexibility in anticipation of the need to test the performance separately. The same value can be provided for both encryption and decryption if the separate performance is not available. The user can have an option to specify alternate cryptographic algorithms or even the same cryptographic algorithm with different key lengths or block size. If a security policy entry contains a new algorithm, then cryptographic functions can be dynamically provided (i.e., cryptoEntry) for the new algorithm.

The digital signature delay (signature_delay) requires the signature identifier, the delay time for signing and verification. DH delay (DH_exchange_delay) is specified with the DH group identifier and the delay time for the group.

IKE Configuration

IKE SPD
Below is the IKEv1 specification of IKE SPD for a SG.

ikespd [
  spdentry [ 
    id 0 
    nhi_remoteSG 1:500(0) ex_mode MAIN 
    identity_type IPV4_ADDR  soft_threshold 90
    policy [
      encrypt THREE_DES hash SHA auth_method preshared
      lifetype SECONDS lifetime default
    ]
    # .. more ike spd entries
  ]
]

Each IKE SPD entry (spdentry) specifies the following attributes:

• id the identifier of the entry.
• nhi_remoteSG the remote security gateway as a means of discovering remote gateway.
• ex_mode the mode of exchange.
• identity_type the type of identity.
• soft_threshold specifies the percentage (%) of expiration of the life duration of an existing SA, which triggers the re-negotiation of the SA for a replacement SA. The value of 0 means that no re-keying of the SA is allowed. The value of 100 means that the re-negotiation starts after the life duration of the existing SA has been expired.
• policy one or more policies with the attributes below.
  • encrypt the specified encryption algorithm.
  • hash the specified authentication algorithm.
  • auth_method the authentication method.
  • lifetype either time-based or byte-based.
  • lifetime the duration of the SA.

The attributes soft_threshold, lifetype and lifetime can also be globally specified, as described in To Model A Security Gateway. The soft_threshold is also associated with the parameter p1_rekeying_mode, which is automatically set to the value of 0 if p1_rekeying_mode is configured as non-continuous.

IKE Configuration Parameters
The following are the configurable DML attributes used in the key management module:

ikeinit [ 
  timer_interval      2.0     # IKE timer interval in seconds
  majorVersion        1       # IKE major version
  minorVersion        0       # IKE minor version
  debug               false   # if true, print debugging statement
  trace               false   # if true, print trace statement
  logfile             "ike.log"   # the name of the log file
  p1_rekeying_mode    continuous  #or non-continuous; re-keying methods

  # the user can specify the global default for both initiator 
  # and responder (i.e., global_default) or provides the 
  # specification of initiator (i.e., ike_initiator) and 
  # responder (i.e., ike_responder) independently, as shown below.
  global_default [
    rxt_maxcount      4   
    rxt_min           2.0     # in seconds
    rxt_max          64.0
    rtt_default       3.0    
    replay            true
    send_infoEx       true
  ]  
]
ike_initiator [
  rxt_maxcount         4   
  rxt_min              2.0     # in seconds
  rxt_max             64.0
  rtt_default          3.0    
  replay               true
  send_infoEx          true
]
ike_responder [
  rxt_maxcount         4   
  rxt_min              2.0     # in seconds
  rxt_max             64.0
  rtt_default          3.0    
  replay               true
  send_infoEx          true
]

IPSec Configuration

IPSec SPD

ipsec_spd [  
  spd_outbound [
    # the first two entries are for ISAKMP traffic.
    spdentry [
      id 0
      selector [ type TP_PROTOCOL value_type S value UDP]
      selector [ type DEST_PORT value_type S value 500] 
      action bypass
    ]
    spdentry [
      id 1
      selector [ type TP_PROTOCOL value_type S value UDP]
      selector [ type SRC_PORT value_type S value 500] 
      action bypass 
    ]
    spdentry [
      id 2
      selector [ type SRC_IP value_type R 
                 value_range [ from 0:0(0) to 0:5(0) ] ]
      selector [ type DEST_IP value_type R 
                 value_range [ from  1:0(0) to 1:5(0) ] ]
      # more selectors
      action APPLY encap_mode TUNNEL remoteSG 1:500(0) 
      sourceSG 2:500(0) usepfs true 
      proposal [          # proposal 1
        protection [
          protocol ESP
          policy [ encrypt THREE_DES_CBC auth HMAC_SHA1 ]
          # more policies
        ]
      # .. proposal 2 and more
      ]
    ]
    # .. more ipsec spd entries
  ]
  spd_inbound [
    spdentry [
      id 0
      _extends .ipsec.bypass0
    ]
    spdentry [
      id 1
      _extends .ipsec.bypass1
    ]
    spdentry [
      id 2
      selector [ type SRC_IP value_type R 
                 value_range [ from 1:0(0) to 1:9(0) ] ]
      selector [ type DEST_IP value_type R 
                 value_range [ from 0:0(0) to 0:9(0) ] ]
      action APPLY encap_mode TUNNEL remoteSG 1:500(0)
      sourceSG 2:500(0) usepfs true 
      proposal [ 
        _extends .ipsec.protectionESP
      ]
    ]
  ]  # end of spd_inbound
]

The IPSec module maintains separate inbound (spd_inbound) and outbound (spd_outbound) SPD databases. As specified above, each SPD entry (spdentry) is specified in preferential order. The following are the list of attributes:

• id the entry identifier.
• selector one or more selectors which are used to map traffic to a specific SA or SAs. The following selector parameters are defined:
  • type the selector parameter identifier. The parameters currently supported are SRC_IP, DEST_IP, DEST_PORT, SRC_PORT, TP_PROTOCOL;
  • value_type the type of the value: either the single value (S) or the range of values (R).
  • value or value_range the specific value. If the value type is R, value_range must be used and the range of values must be provided.
• action the specific action to be applied. If an SPD entry requires secure communication (APPLY), the entry must specify SA attributes as follows:
  • encap_mode the encapsulation mode. The TUNNEL mode is supported.
  • remoteSG the remote security gateway as a means of discovering remote gateway.
  • sourceSG IP address of the source SG to be used. This attribute is needed to support BGP. See IPsec Addressing for more detail.
  • usepfs the use of pfs.
  • soft_threshold the percentage value of expiration of the SA lifetime.
  • proposal one or more proposals. These proposals are ORed in preferential order.
    • protection one or more protections. If more than one protection is specified, those entries are ANDed, which is generally used when required both ESP and AH protections. A protection, in turn, specifies:
      • protocol a security protocol to be used;
      • policy one or more policies which are ORed in preferential order. A policy specifies:
        • encryption (encrypt) algorithm;
        • authentication (auth) algorithm;
        • life type (lifetype); and
        • life duration (lifetime).

IPSec Configuration Parameters
The following are the DML configurable attributes used in IP security module:

ipsecinit [
   # timer interval used for checking SAs and garbage collection
   timer_interval          2.0       
   # Initial action when no SA is available.
   init_action             DROP      # KEEP or DROP;
   default_identity_type   IPV4_ADDR
   anti_replay             true 
   # The user-provided replay window can be specified.
   replaywindow [ use SSF.niist.IPSec.ReplayWindow32 window_size 32 ]
   # Various re-keying techniques
   rekeying_mode           deleteMsg     # rttd, deleteMsg, fixed, immediate
   default_fixed_time      30
   debug                   false
   trace                   false
   logfile                 "ipsec.log"
]

Configuration Hint

• Inconsistent policies (e.g., Transform IDs) between two negotiating peers may end with a NULL pointer exception.
• Using undefined attributes may cause a NULL pointer exception. For instance, ESP_AH is not defined, but used.
• Use the reasonable values for attributes such as
  • IKE and IPSec lifeduration, and soft threshold;
  • link delay relative to IPSec lifetime;
  • SA lifetime and timer timeout values.
  E.g., If life duration is shorter than the time takes to complete file transfer and soft threshold is set to 0, a FTP application may end abruptly with a max retransmission error.