Enterprise Network Packet Filtering for Mobile Cryptographic Identities

Citation

• J. Lindqvist, E. Vehmersalo, M. Komu, J. Manner (Helsinki University of Technology)
• Poster Session, USENIX Annual Technical Conference, Santa Clara, CA, June 17-22, 2007

Annotations

Firewall is based on the Host Identity Protocol (HIP) architecture and tracking the protocol control messages and IPsec ESP SPI values.

The firewall use HITs as access control list identifiers.

When a connection is initiated (Figure 1), the firewall verifies that the HITs of an I1 message match the access control list and it records the HITs and IP addresses of the Initiator and Responder. It is trivial for an attacker to forge these HITs, since there are no signatures to be verified at this stage. The I1 does not contain any signature, which means that the not firewall, nor the responder, can verify its authenticity. Therefore, a forged I1 can reach the responder through the firewall. However, a connection cannot be established because a verified and completed base exchange is required before data traffic is allowed into the network.

The responder sends an R1 and the firewall checks the HITs from its ACLs. This can be used to enforce access control restrictions to the Responders behind the firewall. The firewall records the HITs of the Initiator and the Responder and their IP addresses from the R1.

Upon receiving the R1, the Initiator solves the puzzle and sends an I2 packet. The I2 contains a public key and a signature calculated using the private key of the Initiator. The firewall can verify the signature either using the public key from the packet or a preconfigured public key. If the verification fails, the firewall discards the packet. Similarly, the firewall checks the response, R2, from the responder. The I2 and R2 messages contain the IPsec ESP SPI values that the firewall needs to establish state to track ESP traffic. Similarly, the firewall uses a message with the LOCATOR parameter to continue the tracking of IPsec ESP flows upon end-host IP address changing handovers. Further, the SPI state expires when there is no traffic for a certain time period. This guarantees that the state is removed when a mobile node disappears, for example, moves further away or shuts down.