Juniper SRX and Suite B

Sep 24, 2013 5 min read SecurityAESCBCECDSAGCMIPSecJuniperSHASRXSuite BVPNJunos 12

Starting with JunOS 12.1X45, Juniper offers Suite B crypto on their SRX firewalls.

Juniper has a overview of their Suite B options here .

Standard IPSec

What does a Suite B IKE/IPSec setup look like in comparison to standard? Lets take a look at a couple of examples: Here we have a standard IKE and IPSec setup.

 1#### Interface IP and route for tunnel traffic 
 2set interfaces st0.0 family inet address 192.0.2.1/24
 3set routing-options static route 10.10.2.0/24 next-hop st0.0
 4set security zones security-zone vpn interfaces st0.0
 5set security zones security-zone 192.0.2.0/24 host-inbound-traffic system-services ike
 6set security zones security-zone 192.168.0.0/24 address-book address net-cm_192-168-1-0--24 192.168.1.0/24
 7set security zones security-zone vpn address-book address net-cm_10-10-2-0--24 10.10.2.0/24
 8set security ike policy ike-policy-cm mode main
 9set security ike policy ike-policy-cm proposal-set standard
10set security ike policy ike-policy-cm pre-shared-key ascii-text "secretkey"
11set security ike gateway ike-gate-cm ike-policy ike-policy-cm
12set security ike gateway ike-gate-cm address 192.0.2.2
13set security ike gateway ike-gate-cm external-interface ge-0/0/0
14set security ike gateway ike-gate-cm version v2-only
15set security ipsec policy ipsec-policy-cm proposal-set standard
16set security ipsec vpn ipsec-vpn-cm ike gateway ike-gate-cm
17set security ipsec vpn ipsec-vpn-cm ike ipsec-policy ipsec-policy-cm
18set security ipsec vpn ipsec-vpn-cm bind-interface st0.0
19set security ipsec vpn-monitor-options interval 10
20set security ipsec vpn-monitor-options threshold 10
21set security ike gateway ike-gate-cm dead-peer-detection probe-idle-tunnel
22set security ike gateway ike-gate-cm dead-peer-detection interval 10
23set security ike gateway ike-gate-cm dead-peer-detection threshold 5
24set security ipsec vpn ipsec-vpn-cm establish-tunnels immediately
25set security ipsec policy ipsec-policy-cm perfect-forward-secrecy keys group14
26set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match source-address net-cm_192-168-1-0--24
27set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match destination-address net-cm_10-10-2-0--24
28set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match application any
29set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm then permit
30set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match source-address net-cm_10-10-2-0--24
31set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match destination-address net-cm_192-168-1-0--24
32set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match application any
33set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm then permit

IPSec with Suite B

Here is an IKE/IPSec setup utilizing Suite B.

 1set interfaces st0.0 family inet address 192.0.2.1/24
 2set routing-options static route 10.10.2.0/24 next-hop st0.0
 3set security zones security-zone vpn interfaces st0.0
 4set security zones security-zone 192.0.2.0/24 host-inbound-traffic system-services ike
 5set security zones security-zone 192.168.0.0/24 address-book address net-cm_192-168-1-0--24 192.168.1.0/24
 6set security zones security-zone vpn address-book address net-cm_10-10-2-0--24 10.10.2.0/24
 7set security ike policy ike-policy-cm mode main
 8set security ike policy ike-policy-cm proposal-set suite-gcm-256
 9set security ike policy ike-policy-cm pre-shared-key ascii-text "secretkey"
10set security ike gateway ike-gate-cm ike-policy ike-policy-cm
11set security ike gateway ike-gate-cm address 192.0.2.2
12set security ike gateway ike-gate-cm external-interface ge-0/0/0
13set security ike gateway ike-gate-cm version v2-only
14set security ipsec policy ipsec-policy-cm proposal-set suite-gcm-256
15set security ipsec vpn ipsec-vpn-cm ike gateway ike-gate-cm
16set security ipsec vpn ipsec-vpn-cm ike ipsec-policy ipsec-policy-cm
17set security ipsec vpn ipsec-vpn-cm bind-interface st0.0
18set security ipsec vpn-monitor-options interval 10
19set security ipsec vpn-monitor-options threshold 10
20set security ike gateway ike-gate-cm dead-peer-detection probe-idle-tunnel
21set security ike gateway ike-gate-cm dead-peer-detection interval 10
22set security ike gateway ike-gate-cm dead-peer-detection threshold 5
23set security ipsec vpn ipsec-vpn-cm establish-tunnels immediately
24set security ipsec policy ipsec-policy-cm proposals ipsec-proposal-cm
25set security ipsec policy ipsec-policy-cm perfect-forward-secrecy keys group19
26set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match source-address net-cm_192-168-1-0--24
27set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match destination-address net-cm_10-10-2-0--24
28set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm match application any
29set security policies from-zone 192.168.0.0/24 to-zone vpn policy 192.168.0.0/24-vpn-cm then permit
30set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match source-address net-cm_10-10-2-0--24
31set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match destination-address net-cm_192-168-1-0--24
32set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm match application any
33set security policies from-zone vpn to-zone 192.168.0.0/24 policy vpn-192.168.0.0/24-cm then permit

The difference is the perfect-forward-secrecy key group, and the IKE/IPSec Policy proposal being used.

Diffie Hellman groups

This setting specifies whether perfect forward secrecy (PFS) is used when negotiating the security association, and if so, which Diffie-Hellman group is used. If PFS is used, each phase 2 key is derived independently through a separate Diffie-Hellman exchange. With PFS, if a single key is compromised, the integrity of subsequently generated keys is not affected. Group 2: a modular exponentiation group with a 1024-bit modulus. Group 5: a modular exponentiation group with a 1536-bit modulus. Group 14: a modular exponentiation group with a 2048-bit modulus. Group 19: a random 256-bit elliptic curve group. Group 20: a random 384-bit elliptic curve group. Group 21: a random 521-bit elliptic curve group. Group 24: a modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup.

The IPSec proposal for Suite B we are using is aes-256-gcm. From the above referenced Juniper site:

Suite-B-GCM-128
ESP: Advanced Encryption Standard (AES) encryption with 128-bit
     keys and 16-octet integrity check value (ICV) in Galois
     Counter Mode (GCM).
IKE: AES encryption with 128-bit keys in cipher block chaining
     (CBC) mode, integrity using SHA-256 authentication, and
     key establishment using Diffie-Hellman (DH) group 19 and
     authentication using Elliptic Curve Digital Signature
     Algorithm (ECDSA) 256-bit elliptic curve signatures.

The advantage to using Elliptic Curve crypto is that the crypto is harder to crack, while simultaneously being more efficient to compute (faster). You may (or may not) see actual performance improvements using it.

If you are extremely mathematically inclined, read these wiki articles for more information: GCM , CBC , AES , SHA , and ECDSA

Rancid and JunOS
Juniper SRX and Mobile IPSec

Copyright

CC BY-NC-ND 4.0

Related Posts

Comments