Cisco Security Topics
What is IPSec?
IPSec, is a framework of open standards (from IETF) that define policies for secure communication in a network. Using IPSec, participating peers (computers or machines) can achieve data confidentiality, data integrity, and data authentication at the network layer (i.e. Layer 3 of the Open Systems Interconnection 7-layer networking model). RFC 2401 specifies the base architecture for IPsec compliant systems.
The main purpose of IPSec is to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. It offers various security services at the IP layer and therefore, offers protection at this (i.e. IP) and higher layers. These security services are, for example, access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality.
IPSec has two different modes:
- Transport mode (host-to-host)
In transport mode, the payload is encapsulated (header is left intact) and the end-host (to which, the IP packet is addressed) decapsulates the packet. - Tunnel Mode (Gateway-to-Gateway or Gateway-to-host)
In the tunnel mode, the IP packet is entirely encapsulated (with a new header). The host (or gateway), specified in the new IP header, decapsulates the packet. Note that, in tunnel mode, there is no need for client software to run on the gateway and the communication between client systems and gateways are not protected.
IPSec standard supports the following features:
- AH (Authentication Header) that provides authenticity guarantee for transported packets. This is done by check-summing the packages using a cryptographic algorithm.
- ESP (Encapsulating Security Payload) that provides encryption of packets.
- IPcomp (IP payload compression) that provides compression before a packet is encrypted.
- IKE (Internet Key Exchange) provides the (optional) means to negotiate keys in secrecy.
It also provides the following components:
- Security Policy Database (SPD) This manages security policy (SP) and selector that correlates SP with actual data traffic.
- Security Association Database (SAD) it contains Security Association (SA), parameters necessary for expressing IPsec connections and applying IPsec.
IPSec Overhead Calculator Tool
This Cisco tool calculates the overhead for IPSec and other common encapsulation protocols based on the input packet size and IPSec algorithms. It can help with the proper MTU tuning for best performance. [IPSec Overhead Calculator]
Investigating Space Overhead by IPSec on IPv4 and IPv6 Communication Protocols
Analysis of IPSec overheads has generated significant amount of research interest over the years. There are various publications of technical and peer reviewed papers and thesis that already worked on the area. This discussion and analysis cover areas such as basic network protocol performance ranging from protocol latency, throughput, CPU utilisation of protocols, to TCP/IP IPSec protocol processing overheads. [read more]
IPSec authentication header (AH) transport mode and tunnel mode positioning and size
The diagrams below demonstrate the IPSec authentication header (AH) transport mode and tunnel mode positioning and size for an IPv4 and IPv6 IP packets (IETF/ RFC 4305)
Fig 1. IPv4 with IPSec (AH) Total Header Size, Tunnel Mode 64 Bytes.
| Original IPv4 Header total Size = 20 bytes | 0–3 | 4–7 | 8–13 | 14-15 | 16–18 | 19–31 |
| Version (4 bit) | Internet Header Length (4 bit) | Differentiated Services Code Point (8 bit) | Explicit Congestion Notification() | Total Length (16 bit) | ||
| Identification (16 bit) | Flags (3 bit) | Fragment Offset (13 bit) | ||||
| Time to Live (8 bit) | Protocol (8 bit) | Header checksum (16bit) | ||||
| Source IP Address (36bit) | ||||||
| Destination IP Address (36bit) | ||||||
| Options (if Header Length > 5) | ||||||
| AH | 44 bytes | |||||
| User Data | Data () | |||||
Source: IPv4 (IETF/ RFC 4305)
Fig 2. IPv4 with IPSec (ESP) Total Header Size, Tunnel Mode 62 Bytes.
| Original IPv4 Header total Size = (160 bits) 20 bytes | 0–3 | 4–7 | 8–13 | 14-15 | 16–18 | 19–31 |
| Version (4 bit) | Internet Header Length (4 bit) | Differentiated Services Code Point(8 bit) | Explicit Congestion Notification() | Total Length(16 bit) | ||
| Identification (16 bit) | Flags (3 bit) | Fragment Offset (13 bit) | ||||
| Time to Live (8 bit) | Protocol (8 bit) | Header checksum (16bit) | ||||
| Source IP Address (36bit) | ||||||
| Destination IP Address (36) | ||||||
| Options (if Header Length > 5) | ||||||
| ESP | 42 bytes | |||||
| User Data | Data () | |||||
Source: IPv6 (IETF/ RFC 4305)
Fig 3. IPv6 with IPSec (AH) Total Header Size, Transport Mode 64 Bytes.
| Original IPv6 Header. total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | ||
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | |||
| Source address (128 bits) | |||||
| Destination Address (128 bits) | |||||
| AH | 24 byte | ||||
| User Data | |||||
Source: IPv6 (IETF/ RFC 4305)
Fig 4. IPv6 with IPSec (ESP) Total Header Size Transport Mode 62 Byte.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| ESP | 22 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305)
Fig 5. IPv6 with IPSec (AH) Total Header Size, Tunnel Mode 84 Bytes.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| AH | 44 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305)
Fig 6. IPv6 with IPSec (ESP) Total Header Size, Transport Mode 82 Bytes.
| Original IPv6 Header. Total size = 320 bits (40 bytes) | Version (4 bits) | Traffic class (8 bits) | Flow label (20 bits) | |
| Payload Length (16 bits) | Next Header (8 bits) | Hop Limit (8 bits) | ||
| Source address (128 bits) | ||||
| Destination Address (128 bits) | ||||
| ESP | 42 byte | |||
| User Data | ||||
Source: IPv6 (IETF/ RFC 4305).
Problem:
Attempting to test AAA authentication via LDAP to a Windows domain Controller.
Authentication test to host {IP-Address} failed. Following error occurred – ERROR: Authentication Server not responding: AAA Server has been removed
Solution:
This is a terribly ambiguous error! What it means is that the ASA cannot bind to active directory, either because:
- The ASA bind account password is wrong.
- The ASA bind username, (or path to the user object) is wrong.
- You have set the LDAP server group to use LDAPS (port 636) and the server specified as an LDAP host is not authenticating via LDAPS.
- There is no connectivity between the ASA and the LDAP server.
You can narrow it down by running the following debug:
|
1 |
debug ldap 255 |
In the following output you can see either the username or the password is wrong:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483629] Session Start [-2147483629] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483629] Fiber started [-2147483629] Creating LDAP context with uri=ldap://192.168.110.10:389 [-2147483629] Connect to LDAP server: ldap://192.168.110.10:389, status = Successful [-2147483629] supportedLDAPVersion: value = 3 [-2147483629] supportedLDAPVersion: value = 2 [-2147483629] Binding as asa [-2147483629] Performing Simple authentication for asa to 192.168.110.10 [-2147483629] Simple authentication for asa returned code (49) Invalid credentials [-2147483629] Failed to bind as administrator returned code (-1) Can't contact LDAP server [-2147483629] Fiber exit Tx=207 bytes Rx=720 bytes, status=-2 [-2147483629] Session End |
In the following output you can see the firewall is trying to connect over LDAPS but the server is not configured, (or not answering on TCP 636):
|
1 2 3 4 5 6 7 8 9 10 |
ASA(config)# debug ldap 255 debug ldap enabled at level 255 [-2147483625] Session Start [-2147483625] New request Session, context 0x00007fffbcc69c88, reqType = Authentication [-2147483625] Fiber started [-2147483625] Creating LDAP context with uri=ldaps://192.168.110.10:636 [-2147483625] Connect to LDAP server: ldaps://192.168.110.10:636, status = Failed [-2147483625] Unable to read rootDSE. Can't contact LDAP server. [-2147483625] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2 [-2147483625] Session End |
For us the issue had been nailed down to Active Directory Group Policies based on the following message: “A stronger authentication method is required for this server”
You you need to change the following:
- Domain controller: LDAP server signing requirements to NONE
- Network security:LDAP client signing requirements to NEGOTIATE
Reference:
https://www.petenetlive.com/KB/Article/0001271
http://mehmetyeni.com/cucm-ldap-connection-problem-error-while-connecting-to-ldapip-address389-null/
