1 permission-based sending (pbs) signaling architecture for network traffic authorization se gi...
Post on 22-Dec-2015
215 views
TRANSCRIPT
![Page 1: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/1.jpg)
1
Permission-Based Sending (PBS)Signaling Architecture for network traffic authorization
Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University, ** University of Goettingen
![Page 2: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/2.jpg)
• Internet– Any one can inject any IP packets into the network– Resource are shared by all users– Denial-of-Service (DoS) attacks are possible
• DoS attacks – Aim to disrupt the service provided by a network or server– Attacker might spoof the source address– Botnets: The attacker controls the compromised computer by IRC channel
• Botnet– The attacker controls the compromised computer by IRC (Internet Relay Chat) channel– SYN flood, ICMP flood and HTTP flood
AttackAttack
2
DoS attack
AttackAttack
AttackAttack
Attack
Attack
DATADATA AttackAttack
AttackAttack DATA
DATA
![Page 3: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/3.jpg)
DoS attacks
3
From 40,000 sensors monitoring networks in over 180 countries through Symantec products and services and third-party sources.
The largest DDoS attack size: 40 Gb/sec, 2007
CyberweaponsPolitical and military conflictsPolitical fight between Estonia and Russia, 2007Georgian-Russian war, 2008“Internet Attacks Grow More Potent”, NY Times, Nov 9, 2008
![Page 4: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/4.jpg)
4
DoS attack
Attack types Attacks
Protocol-based attack •Based on specific weaknesses of the Internet protocols•TCP-SYN flood: vulnerability of the TCP three-way handshake•ICMP flood: ICMP echo request packets directed to IP broadcast addresses
Application-based attack •To force the target to execute expensive operations•HTTP request flood to a target server•SIP Invite packet flood with spoofed source IP address
Reflector attack •To obscure the sources of attack•Use third parties (reflectors) to relay attack traffic to the victim
Infrastructure attack •To disable the services of critical components of the Internet•Attack on DNS root servers
Tao Peng and Christopher Leckie and Kotagiri Ramamohanarao, "Survey of network-based defense mechanisms countering the DoS and DDoS problems," ACM Computing Survey, Vol. 39, No. 1, Article 3, 2007.
![Page 5: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/5.jpg)
Existing solutions
• Proactive approaches– Source address filtering
• Ingress filtering• Prevent source address spoofing• Problems
– Universal deployment problem– Cannot prevent source address spoofing in the same subnet– Compromised router can inject and drop packets in Byzantine network
– Capability-based approaches• SIFF and TVA• Capabilities
– filter unauthorized flow• Problems
– Compromised router can break the system (weak in the Byzantine network)
– Weak at changes of states (e.g., router changes)
![Page 6: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/6.jpg)
Existing solutions
• Proactive approaches– Overlay-based approaches
• SOS and Mayday
• Overlay structure to verify the legitimacy of packets
• Problems– The overlay structure can be the target of the attack– Compromised overlay node can inject and drop packets– Expensive media relaying through the overlay
![Page 7: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/7.jpg)
Existing solutions
• Reactive approaches– Filtering-based mechanism
• Pushback and StopIt• Install filtering based on the detection of misbehavior of users• Problems
– Suffer from false positive– Compromised router can drop the packets
– Traceback• Probabilistic marking by router and reconstructing the data path• Problems
– Implementation problem» No specific field for tracking purposes in IPv4.
– Spoofed marking field mislead the path reconstruction– Overwrite marking filed reduce probability to mark
![Page 8: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/8.jpg)
Existing solutions
Approaches
solutions
Benefit Drawback Possible attacks
Implementation & deployment problem
Proactive
•Ingress filtering•SIFF, TVA•SOS
Network resources are restricted, so attacks are prevented before harming the network.
If the attacker breaks the system, the attack is possible
On-path attacks are still possible in both approaches
Traceback: No specific field for tracking purposes in IPv4 TVA: only for TCP Ingress filtering: universal deployment problem StopIt: modify BGP packets
Reactive •Pushback•Traceback•StopIt
Monitoring attack traffic allows the system to react against the attacks dynamically.
Network resources are open to all users including attackers suffer from false positive
![Page 9: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/9.jpg)
Existing solutions
Approaches
solutions Benefit Drawback Possible attacks
Implementation & deployment problem
Proactive
•Ingress filtering•SIFF, TVA•SOS
Network resources are restricted, so attack are prevented before harming the network.
If the attacker breaks the system, the attack is possible
On-path attacks are still possible in both approaches
Traceback: No specific field for tracking purposes in IPv4 TVA: only for TCP Ingress filtering: universal deployment problem StopIt: modify BGP packets
Reactive
•Pushback•Traceback•StopIt
Monitoring attack traffic allows to react against the attacks dynamically.
Network resources are open to all users including attackers False positive
• Prevention of attacks cannot be done by a single approach, so we need hybrid approach• We need a solution to prevent on-path attack• We need an integrated and practical solution
![Page 10: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/10.jpg)
10
Overview of PBS
• Objective – Preventing DoS attacks and other forms of unauthorized traffic.
• Network traffic authorization– Permission is granted by the intended receiver.– Permission represents the authority to send data.
• Deny-by-default– Unauthorized traffic without permission is dropped at the first router by default.
May I send?
May I send?
May I send?May I send? May I send?
May I send?
Yes, total 10 MBYes, total 10 MB
Yes, total 10 MB
Yes, total 10 MB
DATADATA
DATADATADATADATA
AttackAttack
Yes, total 10
MBYes, total 10
MB
![Page 11: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/11.jpg)
11
Overview of PBS
• Hybrid approach– Proactive approach
• Explicit permission by on-path signaling
– Reactive approach• Monitoring traffics
• Secure mechanism– Secure permission state setup – Protect the authentication of data packets.
![Page 12: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/12.jpg)
On-path signaling: PBS NSLP
• Next Steps in Signaling (NSIS) protocol suite
Signaling application-specific functions (packet filter, NAT setting, etc)
NSLP for QoSNSLP for
NAT/firewall
GIST(General Internet Signaling Transport)
Transport layer security
UDP TCP SCTP DCCP
IP layer security
IP
PBS NSLP for network trafficauthorization
NTLP
GIST API
NSLP
Controlplane forsignaling:NSIS
![Page 13: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/13.jpg)
13
PBS NSLP Signaling Message
• Two-way handshake– Query message
• Sent by a sender to request permission.– Permission message
• Sent by a receiver.• Set up (grant), remove (revoke) and modify permission state.• Triggers reaction mechanism against the attacks.
• Soft-state – Robustness of the system– Periodic refreshing of the permission state
• Peer-to-Peer delivery– The signaling messages are delivered in peer-to-peer fashion between the nodes
that have PBS functionality
![Page 14: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/14.jpg)
14
Query (10MB, FID)
Sender R1 R2 Receiver
T
Permission (10MB, TTL, FID)
Permission Permission Permission
Query Query Query
Query (10MB, FID) Query (10MB, FID)
Permission (10MB, TTL, FID) Permission (10MB, TTL, FID)
Install permission state
Install permission state
PBS NSLP Signaling Message
FID: 5-tuple based flow identificationTTL: permission state time limit for the flow T: Soft-state period
![Page 15: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/15.jpg)
Security
• What if an attacker sends bogus signaling message by spoofing the address?– Authentication and integrity problem of signaling message
• What if an attacker spoofs the sender’s address to send attack data?– Authentication problem of data packets
![Page 16: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/16.jpg)
Security
16
• Security to protect permission setup (signaling message)– Authentication and integrity for end-to-end communication
• encrypt signaling message fields by public key cryptography – Public key distribution
• signaling message carries the public key (X.509 certificate)
• Security to protect data packet– Authentication and integrity of data packets
• IPsec Authentication Header (AH)• In the trustworthy network, symmetric key cryptography (HMAC)• In the Byzantine network, public key cryptography (RSA, ECC)
– Shared key distribution for IPsec• Permission message carries the key• Transport layer security (TLS/DTLS) for hop-by-hop communication
– Security association and management of key• Manual SA/Key management by Permission message
![Page 17: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/17.jpg)
Basic operation of prevention
17
Q (FID,PKey,Auth)
Sender R1 R2 Receiver
Data flow / IPsec
Attack flow(w/o IPsec)
IPsec verification failed
P (10MB, FID, Pkey, Skey, Auth)
IPsec verification success
Data flow / IPsec Data flow / IPsec
Q ( FID,Pkey,Auth) Q (FID,Pkey,Auth)
P (10MB, FID,Pkey, Skey, Auth)P (10MB, FID, Pkey, Skey, Auth)
Auth verification success
Auth verification success
Pkey: public keyAuth: authentication field for the signaling messageSkey: shared key for Ipsec
![Page 18: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/18.jpg)
PBS Detection Algorithm (PDA)
• What if a compromised router (that has the shared key for IPsec) inject attack packets?– Packet addition attack (on-path attack)
• What if a compromised router drops the incoming packets? – Black hole attack (on-path attack)
• Monitoring mechanism– PBS Detection Algorithm (PDA)– Detect on-path attack which breaks the permission state– Signaling (Query) message carries the information of volume of
data that the sender has sent.– Use soft-state mechanism to periodically monitor the data flow.
![Page 19: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/19.jpg)
PBS Detection Algorithm (PDA)
19
Sender R1 R3 ReceiverSpoof sender’s address,and has the shared key
T
Data (size=1MB)/ IPsec (symm key)
Q
P (AV = 10MB)
Q (v = 1MB)P (public key crypto)
Q (v = 1MB) Q (v = 1MB) Q (v = 1MB)
Detect attack(1MB Vs 3MB)
Attack (size=2MB)IPsec (symm key)
Attack (size=2MB)IPsec (symm key)
P (public key crypto) P (public key crypto) P (public key crypto)
P (AV = 10MB) P (AV = 10MB) P (AV = 10MB)
Q Q Q
Total 3MB
Data (size=1MB)/ IPsec (symm key)
Data (size=1MB)/ IPsec (symm key)
Data (size=1MB)/ IPsec (symm key)
Data (size=1MB)/ IPsec (Public key)
Data (size=1MB)/ IPsec (Public key)
Data (size=1MB)/ IPsec (Public key)
Data (size=1MB)/ IPsec (Public key)
Total 1MB
AV: allowed volume that is granted by the receiverV: total volume of data that the sender has sent
![Page 20: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/20.jpg)
PBS Detection Algorithm (PDA)
20
• Detection of black hole attack
T.O.
R1 R3 ReceiverSender (Attacker, Drop attack)
Query Query
Change data flow path
![Page 21: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/21.jpg)
PBS Detection Algorithm (PDA)
21
• Detection of dropping data packets
ReceiverR3R1Sender
Data (size=1MB)
(Attacker, Drop attack)
T
Q (v = 1MB)
P (change path)
Q
Q (v = 1MB) Q (v = 1MB) Q (v = 1MB)
P (AV = 10MB)
Data (size=1MB)
Detect attack(1MB Vs 0MB)
P (change path) P (change path) P (change path)
P (AV = 10MB) P (AV = 10MB) P (AV = 10MB)
Q Q Q
![Page 22: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/22.jpg)
22
PBS architecture
• On-path signaling (PBS NSLP processing/ GIST processing)– Install and maintain permission state.– Monitor attacks.– Trigger reaction mechanism against the attacks.– Distribute public key (X.509 certificate) and session key
• Authorization– Decide the granting of permission (amount of data volume) for a flow– Detect and identify the attack.– Decide the reaction mechanism against the attacks.
• IPsec AH• Changing data path
• Traffic management– Handle all incoming messages.– IP packet filter drops the unauthorized packets.– Monitor data flow (check the total volume of the data flow).
![Page 23: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/23.jpg)
PBS implementation structure
23
User level
Kernel level
On-path signaling
PBS NSLPProcessing(OpenSSL)
NTLP (GIST)Processing
Linux kernel routing table
(route)
Netfilter IP packet filtering(iptables)
Control and configurationData flowSignal flow
State table: permission state, IPsec state(Hashtable)
Userspace IPsec module(netfilter queue module, libiptc, OpenSSL)
Networkdevice
Networkdevice
Authorization
Traffic management
23
![Page 24: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/24.jpg)
Testbed
• AMD Opteron 2.2GHz CPU and 2GB RAM• Linux kernel version 2.6.23
24
![Page 25: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/25.jpg)
Traffic overhead (signaling message overhead)
• Signaling message overhead ratio
• BW usage and signaling overhead ratio• 4GB video streaming whose running time is 90 minutes (permission state life
time is 90 minutes)• Soft-state period is 60 seconds
25
signal
signals LL
LR
Parameters for public key
BW (kbits/sec)
Overhead ratio
RSA-1024 0.376 0.000062
DSA-1024 0.403 0.000066
ECC-192 0.313 0.000051
flow for the messages signaling totalof size:
flow theof packets data totalof size:
signalL
L
![Page 26: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/26.jpg)
Traffic overhead (data packet overhead)
• Data packet overhead ratio– Data packet carries IPsec header
• IPsec AH size and overhead ratio
26
sec
sec
ip
ipd LL
LR
Parameters for IPsec authentication field
IPsec AH (bytes) Overhead ratio
HMAC-SHA1 28 0.021
RSA-1024 32 0.085
DSA-1024 84 0.037
ECC-192 140 0.042
flow theofheader ipsec totalof size:
flow theof packets totalof size:
secipL
L
![Page 27: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/27.jpg)
CPU usage for signaling
27
CPU usage of PBS NSLP
0
10
20
3040
50
60
70
400 500 600 700 800
Rate: # of (Q, P) messages/sec
CP
U u
sage
(%) Q:UDP, P:UDP
Q:TCP, P:TCP
Q:UDP, P:TLS
Q:TCP, P:TLS
Q:TLS, P:TLS
CPU usage of GIST
0
10
20
30
40
50
400 500 600 700 800
Rate: # of (Q, P) messages/sec
CP
U u
sage
(%) Q:UDP, P:UDP
Q:TCP, P:TCP
Q:UDP, P:TLS
Q:TCP, P:TLS
Q:TLS, P:TLS
0102030405060708090
400 500 600 700 800
CPU
usa
ge (%
)
Rate: # of (Q, P) messages/sec
CPU usage of PBS (GIST and PBS NSLP)
Q:UDP, P:UDP
Q:TCP, P:TCP
Q:UDP, P:TLS
Q:TCP, P:TLS
Q:TLS, P:TLS
• Number of concurrent sessions that can be handled 600 (Q, P) messages /sec 36,000 concurrent flows with 60 sec refresh period with fair queue
![Page 28: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/28.jpg)
Memory overhead
• Session key storage– (Session key size) x (number of concurrent sessions N)
• State table recording– (size of state record per flow) x (number of concurrent sessions N)
– 100 bytes x 10,000 = 1 MB
28
Parameters HMAC-SHA1
RSA-1024 DSA-1024 ECC-192
Key size 20 bytes 128 bytes 128 bytes 24 bytes
Key storage size (when N = 10,000)
0.2 MB 1.28 MB 1.28 MB 0.24 MB
![Page 29: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/29.jpg)
Signaling message processing delay
• Signaling message processing delay based on public key cryptography
• GIST handshake delay
29
Parameters
Query message (msec)
Permission message (msec)
NULL 0.131 0.134
RSA-1024 0.423 0.436
DSA-1024 1.674 1.701
ECC-192 1.868 1.892
UDP TCP TLS
GIST handshake (msec)
0.411 10.057 23.383
NULL: no cryptography algorithm is applied to signaling messages
![Page 30: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/30.jpg)
IPsec processing delay
• Data packet (with and without IPsec) processing delay
30
Parameters IPsec processing delay (msec)
Without userspace IPsec module
0.010
NULL encryption 0.057
HMAC-SHA1 0.067
RSA-1024 0.198
DSA-1024 1.411
ECC-192 1.649
• Userspace IPsec module: capture packet from kernel to user level to process the IPsec, and then sends back the packet to the kernel• Null encryption: No IPsec verification
![Page 31: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/31.jpg)
Deployment and application
• At the edge routers– Edge routers at the sender’s area
• Drop the attack packets from the off-path attacker– Edge routers at the receiver’s area
• Drop the attack packets that are generated in the backbone• Close-network
– All end-users have PBS functionality– Deny-by-default– Short stream flows, such as DNS and ICMP
• Flow state setup delay and signaling message overhead• Rate limited
• Open-networks– Some end users do not have PBS functionality
• The packets from the sender which does not have PBS functionality will be rate-limited.
31
![Page 32: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/32.jpg)
Conclusion
• Signaling architecture for network traffic authorization• Hybrid approach
– Proactive approach: Explicit permission by signaling– Reactive approach: PBS detection algorithm (PDA)
• Secure system – The authentication and integrity of signaling message: Public
key cryptography algorithm– The authentication and integrity of data packets: IPsec AH
• Practical and deployable system• DoS defense mechanism
– Off-path/on-path attacks
32
![Page 33: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/33.jpg)
Backup slides
33
![Page 34: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/34.jpg)
Existing solutions
• Proactive approaches– Source address filtering
• Ingress filtering• Allow packets whose IP address in the expected IP address range• Prevent source address spoofing• Deployment problem
– Universal deployment problem• Attack that cannot be prevented
– IP address spoofing in the same subnet– Compromised router can inject and drop packets (on-path attack)
– Capability-based approaches• SIFF and TVA• Permission (capability): filter unauthorized flow• Breakable system
– Compromised router gives bogus capability– Compromised router announces the capability to the upstream nodes
• Attack that cannot be prevented: on-path attack– Compromised router can use the capability to inject attack flow.– Compromised router can drop packets Not guaranteed for delivery
![Page 35: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/35.jpg)
Existing solutions
• Proactive approaches– Overlay-based approaches
• SOS and Mayday
• Overlay structure to verify the legitimacy of packets
• Breakable system– The overlay structure can be the target of the attack
• Attack that cannot be prevented– Compromised overlay node can inject and drop packets
• Expensive media relaying.
![Page 36: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/36.jpg)
Existing solutions
• Reactive approaches– Filtering-based mechanism
• Pushback and StopIt• Detection of misbehavior of users request filtering• Suffer from false positive• Attack that cannot be prevented: on-path attack
– cannot guarantee the delivery of legitimate packet– Traceback
• Probabilistic marking by router / reconstruct the path• Implementation problem
– No specific field for tracking purposes in IPv4.• Breakable system
– Spoofed marking field mislead the path reconstruction• Attack that cannot be prevented: on-path attack
– Overwrite marking filed reduce probability to mark
![Page 37: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/37.jpg)
Delay
• Round-trip delay of signaling message before sending data packets– Measure signaling message processing delay– Measure GIST handshake delay
37
GIST handshake
Sender R1 Receiver
Permission
Query
Permission
RTT
Query processing delay GIST handshake
Permission processing delay
GIST delay
Query
![Page 38: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/38.jpg)
State - 1: Idle, 2: wait for P, 3: Permission state, 4: compare SV and AV
Send Q
Send QRecv P & P(AV!=N)|| apply crypto for data based on S value of P
Send DataSV< AV
T.O. || change route& send Q
Recv P & P(AV=0)
SV > AV || remove permission state
TTL=0 OR recv P(AV = 0) ||remove permission state
Recv P (new security algorithm) ||Change the security algorithm for IPsec
Event || ActionQ: Query message, P: Permission message, T.O.: Time outAV: The number of bytes that the receiver allowsSV: The number of bytes that the sender has been sent
1
2
3
4
FSM: Sender
38
![Page 39: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/39.jpg)
Recv Q
Grant || setup permission state & install SA& send P(AV!=0, shared key)
TTL =0 ORNo refresh || remove state and SA & send P(AV=0)
Recv Q (SV)
SV = RV ||Send P
Increase security|| send P(new security algorithm)
RV < AVRV > AV || remove state and SA& send P(AV=0)
IPsec verification failed || Drop
Recv Data
Decline ||Send P(AV=0)
IPsec verification success || calculate RV
SV != RV
Revoke permission||Remove state and SA& Send P(AV=0)
Event || ActionRV: The number of bytes that the receiver has been received
State - 1: IDLE, 2: Permission decision, 3: Permission state, 4: IPsec verification, 5: compare RV and AV, 6: compare RV and SV, 7: Policy decision
1
2
3
4
5
6
7
FSM: Receiver
39
![Page 40: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/40.jpg)
Recv Q || forward Q
IPsec verification success || calculate RV
Recv P (AV!=0) || setup permission state and SA
RV < AV || forward Data
IPsec verification failed || Drop Data
Recv Data
Recv P(AV=0)
Recv Q
RV > AV || Drop Data
TTL=0 OR recv P (AV = 0)OR No refresh ||remove state and SA
Recv P (new security algorithm) || Change the security algorithm for IPsec
Event || ActionRV: The number of bytes that the receiver has been received
State - 1: Idle, 2: Wait for P, 3: Permission state, 4: IPsec verification, 5: compare RV and AV
1
2
3
4
5
FSM: Router
40
![Page 41: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/41.jpg)
Implementation structure
• Signaling (PBS NSLP / GIST)– PBS NSLP on GIST implementation using FreeNSIS implementation
• http://user.informatik.uni-goettingen.de/~nsis/– Finite state machine
• FSM controls the state of each node.
– Message creation and parsing• Signaling messages are created and parsed at each node that has a PBS NSLP
functionality.
– Public key distribution• OpenSSL: X.509 certificate
– Signaling message authentication • OpenSSL: The public key cryptography for the message authentication
– GIST API• Unix socket: Communication between GIST and PBS NSLP
• Selection of UDP/TCP/TLS: channel reliability and security
41
![Page 42: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/42.jpg)
Implementation structure
• Authorization– State table
• hashtable: permission state, IPsec state
• Traffic management– Userspace IPsec module: A modular IPsec stack which relies on user space
• netfilter queue module: get the packets (if a rule matches) to user space
• OpenSSL: public key cryptography of IPsec authentication field
– Netfilter/IPtables• libiptc: interface filter tables in the kernel space
• iptables: filter IP packets
– Linux kernel routing table• route: set up the data path; Linux kernel routing table is used.
42
![Page 43: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/43.jpg)
Security analysis of PBS
• Trustworthy networks– Attack without spoofing address
• 5-tuple based IP packet filtering– Attack with spoofing source address
• PDA can detect • IPsec: Symmetric key cryptography
• Byzantine networks– Off-path attacks
• 5-tuple / PDA• IPsec: Symmetric key cryptography
– On-path attack: packet addition• PDA can detect the attack• IPsec: public key cryptography
– On-path attack: packet dropping• Signaling message and PDA can detect the attack• Change the path
• Sender attack– Black and white list– Permission request gives the precise behavior profile of a sender
43
![Page 44: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/44.jpg)
Detection delay and number of attack flows
• Detection delay– As attack flows are detected quickly, the number of attack flows decreases– Detection delay depends on the soft-state period of signaling messages
• Assumption– Legitimate flow arrival rate and attack flows arrival rate follow Poisson distribution
– Expected lifetime of all the flows
• Attack flow lifetime: legitimate flow lifetime:
– Attack flow ratio
• Ratio of attack flow arrival rate over total flow arrival rate,
• Soft-state period,
44
la
][][][ ll
aa
L TETETE
2)1(][
][
][
][
rr
r
TE
TE
NE
NER
L
aaa
ar
l
P
TT
aT lT
![Page 45: 1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,](https://reader030.vdocuments.mx/reader030/viewer/2022032523/56649d805503460f94a63ebe/html5/thumbnails/45.jpg)
45
Detection delay and number of attack flows
Attack flow arrival rate is 0.8,but actual number of attack flows are reduced since detection shortens the attack flow’s lifetime