Discovery and Traversal Discovery and Traversal of Security Gatewaysof Security Gateways

Alwyn E. GoodloeAlwyn E. GoodloeUniversity of PennsylvaniaUniversity of Pennsylvania

Contessa NS Contessa NS

Protocol eXchangeProtocol eXchangeJune 10, 2005June 10, 2005

History of Routing ProtocolsHistory of Routing Protocols

In early days of ARPANetIn early days of ARPANet Few nodesFew nodes Routing tables manually configured at each Routing tables manually configured at each

node by local system adminnode by local system admin

Centralized Management an AlternativeCentralized Management an Alternative Network manager knows topology and Network manager knows topology and

handles everythinghandles everything Tools can help, but still difficultTools can help, but still difficult

DrawbacksDrawbacks

Managers must know topologyManagers must know topology

Managers control who gets to playManagers control who gets to play Can not just go and add or delete a nodeCan not just go and add or delete a node

Hard to see how the Internet would have Hard to see how the Internet would have grown to present size had either of these grown to present size had either of these schemes been adopted.schemes been adopted.

Dynamic Routing ProtocolsDynamic Routing Protocols

Routing tables are updated as part of Routing tables are updated as part of protocolprotocol

Adapts to changing topology and growthAdapts to changing topology and growth

TheoryTheory Convergence in the face of changesConvergence in the face of changes CorrectnessCorrectness Efficiency of underlying protocolsEfficiency of underlying protocols

Security GatewaysSecurity Gateways

Located at cutpoints in the networkLocated at cutpoints in the network

Possess an inside and an outsidePossess an inside and an outside

Nodes on the inside constitute its domainNodes on the inside constitute its domain

Gateways control what traffic can enter Gateways control what traffic can enter and leave a domainand leave a domain

Single GatewaySingle Gateway

abg

r1

r3

r2c

NetworkNetwork

b

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

GW

Network as GraphNetwork as Graph

Gateway Hierarchy Gateway Hierarchy

D’

A A’

D

Traversing GatewaysTraversing Gateways

High-level policies at the gateways High-level policies at the gateways determine which users can communicate determine which users can communicate with members of its domainwith members of its domain

To enforce policies, gateways authenticate To enforce policies, gateways authenticate packets using cryptographic tunnels packets using cryptographic tunnels Security Associations (IPsec)Security Associations (IPsec)

Packet filters determine which packets go Packet filters determine which packets go in which associationin which association

Industrial PracticeIndustrial Practice

Gateways are usually configured using Gateways are usually configured using command line interfacescommand line interfaces

Moving to centralized managementMoving to centralized management Tool support: Solsoft Policy serverTool support: Solsoft Policy server

Drawbacks same as for routersDrawbacks same as for routers Inflexible in the face of changing topologyInflexible in the face of changing topology

Want protocols to dynamically find Want protocols to dynamically find gateways and set up associationsgateways and set up associations

Set Up Protocol RequirementsSet Up Protocol Requirements

DiscoverDiscover gateways along path gateways along path Send out distinguished control packetsSend out distinguished control packets

Negotiate trust relationship based on high-level Negotiate trust relationship based on high-level policypolicySet up associations using some key-exchange Set up associations using some key-exchange protocol (IKE, JFK)protocol (IKE, JFK)Install packet filters (low-level policies) on the Install packet filters (low-level policies) on the gateways that are derived from/compatible with gateways that are derived from/compatible with high-level policieshigh-level policiesDiscovery protocols are a special class of Discovery protocols are a special class of signaling protocolsignaling protocol

Do People Really Want ThisDo People Really Want This

Cisco’s Tunnel Endpoint Discovery (TED) Cisco’s Tunnel Endpoint Discovery (TED) Protocol performs discovery Protocol performs discovery Limited. Assumes two gateways.Limited. Assumes two gateways. Built into high-end security gatewaysBuilt into high-end security gateways Indicates industrial demandIndicates industrial demand

IETF’s IP Security Policy (IPSP) groupIETF’s IP Security Policy (IPSP) group Charter says they will develop a discovery Charter says they will develop a discovery

protocolprotocol

Need For TheoryNeed For Theory

We have designed several protocols for We have designed several protocols for setting up collections of IPsec tunnelssetting up collections of IPsec tunnels Sectrace, L3A (WITS 05)Sectrace, L3A (WITS 05)

Each had subtle flaws that were Each had subtle flaws that were uncovered by formal analysisuncovered by formal analysisWant a formalism and theory for Want a formalism and theory for developing such signaling protocolsdeveloping such signaling protocols Like SPI-Calculus and MSR for crypto Like SPI-Calculus and MSR for crypto

protocols protocols

Tunnel CalculusTunnel Calculus

Key-Exchange as abstract building-blockKey-Exchange as abstract building-block Not concerned with the cryptography Not concerned with the cryptography Terminates with associations and policies Terminates with associations and policies

properly set upproperly set up

Captures essential details of the networkCaptures essential details of the network Contrasts with process algebras that abstract Contrasts with process algebras that abstract

away from networkaway from network

Built in layersBuilt in layers

LayersLayers

Packet Routing

Security Processing

Trust Negotiation

Establishment

Discovery

ExampleExample

a bg

Discovery

Discovery

Negotiate Establishment

EstablishmentAuthenticate

Authenticate

EstablishmentEncryption

Negotiation

Establishment LayerEstablishment Layer

BA

Req(spi-a, request)

Rep(spi-a, spi-b, request)

SADB ABSPDB

SADB BASPDB

SADB ABSPDBSADB BASPDB

Trust Negotiation Trust Negotiation

When discovery packet destined for node When discovery packet destined for node B arrives at a gateway G, how does B arrives at a gateway G, how does G know if it should allow the set upG know if it should allow the set up The initiator know that B is inside of G’s The initiator know that B is inside of G’s

domaindomain

These questions need to be settled by These questions need to be settled by high-level policy high-level policy This must be known This must be known beforebefore establishment establishment beginsbegins

Trust ManagementTrust Management

Need to discover, access, process high level Need to discover, access, process high level policypolicyWork in progressWork in progressRelated works Related works Security Policy Protocol (SSP) IETF IPSPSecurity Policy Protocol (SSP) IETF IPSP SPKI/SDSISPKI/SDSI PolicyMaker/KeyNotePolicyMaker/KeyNote QCM/SD3QCM/SD3 ……..

Borrow ideas and abstract away detailsBorrow ideas and abstract away details

Security Processing LayerSecurity Processing Layer

Abstraction of IPsecAbstraction of IPsec

Security Associations (SA) – Define Security Associations (SA) – Define cryptographic transformscryptographic transforms Abstract away the cryptographyAbstract away the cryptography Tunnel modeTunnel mode

Packet P(a,b,y) in association cPacket P(a,b,y) in association cd:Id:I

P(c,d,S(I,P(a,b,y))P(c,d,S(I,P(a,b,y))

Association Database (SADB) Association Database (SADB)

Security Processing Layer ContdSecurity Processing Layer Contd

Packet filters called security policies direct Packet filters called security policies direct traffic into SAstraffic into SAsSecurity Policy Database (SPDB)Security Policy Database (SPDB) SPDB-IN and SPDB-OutSPDB-IN and SPDB-Out

Must model the processing of packets!Must model the processing of packets! Headers added and removed in accordance with Headers added and removed in accordance with

policy policy

Each packet that enters the system must Each packet that enters the system must undergo processingundergo processingOutgoing packets processed before sent down Outgoing packets processed before sent down to routing layerto routing layer

IPsec exampleIPsec example

GA B

AB:[(AB)(AG)] AB:[(AG)]

P(A,G,S(i1,P(A,B,S(i3,P(A,B,y)))))

AB:[(GB)] AB:[(AB)(GB)]

P(G,B,S(i2,P(A,B,S(i3,P(A,B,y))

P(A,B,S(i3,P(A,B,y)))

P(A,B,y)

P(A,B,y)

i1 i2

i3

Routing LayerRouting Layer

Network topology induced by forwarding Network topology induced by forwarding tablestablesRouters only routeRouters only route Packet p arrives @ r.Packet p arrives @ r. Lookup next hop in table.Lookup next hop in table. Send packet to next hopSend packet to next hop

Secure nodes do IPsec processingSecure nodes do IPsec processing All packets that arrive are sent up to be All packets that arrive are sent up to be

processed by security layerprocessed by security layer

Formalism Formalism Based on multiset rewriting and equational Based on multiset rewriting and equational logic logic

Very basic logicVery basic logic Control flow must be explicit Control flow must be explicit Each rule may execute concurrently unless Each rule may execute concurrently unless

constrainedconstrained

State must be explicitly passed among rulesState must be explicitly passed among rules MSR’s L-PredicatesMSR’s L-Predicates Our resumption terms <…..>Our resumption terms <…..>

Routing GrammarRouting Grammar

Routing Layer RulesRouting Layer Rules

Security Processing GrammarSecurity Processing Grammar

Nesting a packetNesting a packet

Output RuleOutput Rule

Safety/Liveness PropertiesSafety/Liveness Properties

Safety:If a tunnel if formed, then a proper Safety:If a tunnel if formed, then a proper set of credentials existset of credentials exist

Liveness: Given some global policy, the Liveness: Given some global policy, the two parties should be able to communicate two parties should be able to communicate assuming everything is in the right placeassuming everything is in the right place

Still working on formalizing theseStill working on formalizing these

Future WorkFuture Work

Dissertation will flush out the details of Dissertation will flush out the details of each layereach layer Executable models in MaudeExecutable models in Maude Proofs of properties Proofs of properties Work on the theoremsWork on the theorems Trust negotiation layerTrust negotiation layer

Contessa NS PeopleContessa NS People

Carl A. GunterCarl A. Gunter

Mark-Oliver StehrMark-Oliver Stehr

Alwyn GoodloeAlwyn Goodloe

Matthew JacobsMatthew Jacobs

Gaurav ShahGaurav Shah

Michael McDougallMichael McDougall

Gual AghaGual Agha

Michael GreenwaldMichael Greenwald

Sanjeev KhannaSanjeev Khanna

Jose MeseguerJose Meseguer

Koushik SenKoushik Sen

Prasanna ThatiPrasanna Thati