securing content based routing publish-subscribe systems
DESCRIPTION
Securing Content Based Routing Publish-Subscribe Systems. (SIENA) [email protected] 2002.01.28. What is Content Based Routing?. Messages Routed Based on Content No Fixed Address Field(s) Generally Speaking Routers Need Full Access to Message Payload. What is Publish-Subscribe?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/1.jpg)
Securing Securing Content Based Routing Content Based Routing
Publish-Subscribe SystemsPublish-Subscribe Systems(SIENA)(SIENA)
[email protected]@colorado.edu
2002.01.282002.01.28
![Page 2: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/2.jpg)
What is Content Based Routing?What is Content Based Routing?
Messages Routed Based on ContentMessages Routed Based on Content• No Fixed Address Field(s)No Fixed Address Field(s)• Generally Speaking Routers Need Full Generally Speaking Routers Need Full
Access to Message PayloadAccess to Message Payload
![Page 3: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/3.jpg)
What is Publish-Subscribe?What is Publish-Subscribe?
Event Notification SystemEvent Notification System• Producers (Publishers)Producers (Publishers)• Consumers (Subscribers)Consumers (Subscribers)• Publications are Routed to Subscribers Based on Publications are Routed to Subscribers Based on
Filters (Subscriptions)Filters (Subscriptions)
![Page 4: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/4.jpg)
Interesting Properties of Interesting Properties of Publish-SubscribePublish-Subscribe
Publishers and Subscribers can be Anonymous Publishers and Subscribers can be Anonymous to Each Otherto Each Other
Clients Can be Linked Together to Form an Clients Can be Linked Together to Form an Ad-Hoc Network Using only the Publish-Ad-Hoc Network Using only the Publish-Subscribe Interface Subscribe Interface
![Page 5: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/5.jpg)
What is SIENA?What is SIENA?
ScalableScalable Internet (Scale)Internet (Scale) EventEvent NotificationNotification ArchitectureArchitecture
![Page 6: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/6.jpg)
What/How Does SIENA Work?What/How Does SIENA Work?
Exports a Publish-Subscribe APIExports a Publish-Subscribe API Employs Content Based RoutingEmploys Content Based Routing
• Accurately Route Messages To Interested Accurately Route Messages To Interested PartiesParties
• Bandwidth Consumption ReductionBandwidth Consumption Reduction
![Page 7: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/7.jpg)
Interesting Properties ofInteresting Properties ofSIENASIENA
Notifications(Messages) Routed Based on Notifications(Messages) Routed Based on ContentContent
Unspecified Number of Clients or ServersUnspecified Number of Clients or Servers Unspecified Network TopologyUnspecified Network Topology Unspecified Communication ProtocolsUnspecified Communication Protocols Unspecified Message Delivery WindowsUnspecified Message Delivery Windows Heterogeneous Host & Authority DomainsHeterogeneous Host & Authority Domains Fault PermissiveFault Permissive
![Page 8: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/8.jpg)
Unspecified Network TopologyUnspecified Network Topology
Single ServerSingle Server HierarchicalHierarchical General GraphGeneral Graph Hibrid/Combination TopologyHibrid/Combination Topology
![Page 9: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/9.jpg)
Combination TopologyCombination Topology(with heterogeneous authority)(with heterogeneous authority)
![Page 10: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/10.jpg)
Security GoalsSecurity Goals
ConfidentialityConfidentiality IntegrityIntegrity AvailabilityAvailability
As Described In “Secrets & Lies” by Bruce Schneier p. 121
![Page 11: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/11.jpg)
Confidentiality GoalsConfidentiality Goals
Data (Publications)Data (Publications)• Content Might Contain Sensitive InformationContent Might Contain Sensitive Information• Routing Depends on ContentRouting Depends on Content
SubscriptionsSubscriptions• Subscriptions May Contain Sensitive InformationSubscriptions May Contain Sensitive Information• Data Flow AnalysisData Flow Analysis• AnonymityAnonymity
![Page 12: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/12.jpg)
Integrity GoalsIntegrity Goals
Altered MessagesAltered Messages Injected MessagesInjected Messages Dropped MessagesDropped Messages
![Page 13: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/13.jpg)
Availability GoalsAvailability Goals
Denial of Service ProtectionDenial of Service Protection• Individual ServerIndividual Server• Network CongestionNetwork Congestion
Knowing When System is Overloaded/DoS’edKnowing When System is Overloaded/DoS’ed
![Page 14: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/14.jpg)
Additional GoalsAdditional Goals
Billing/AccountabilityBilling/Accountability AuditAudit
![Page 15: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/15.jpg)
Conflicting GoalsConflicting Goals
Scale vs. SecurityScale vs. Security Performance vs SecurityPerformance vs Security Anonymity vs SecurityAnonymity vs Security Anonymity vs BillingAnonymity vs Billing Communication Network vs User SecurityCommunication Network vs User Security Data Confidentiality vs ExpressivenessData Confidentiality vs Expressiveness
![Page 16: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/16.jpg)
How do we Balance These How do we Balance These Conflicting Goals?Conflicting Goals?
![Page 17: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/17.jpg)
ObservationsObservations
Single Solution Very UnlikelySingle Solution Very Unlikely• Each Environment Will Need Its Own SetupEach Environment Will Need Its Own Setup• Military Always Does Its Own ThingMilitary Always Does Its Own Thing
Minimization of Security in the Servers Minimization of Security in the Servers Maximizes FlexibilityMaximizes Flexibility
Heterogeneous Solutions do Not Cover Heterogeneous Solutions do Not Cover Homogeneous SolutionsHomogeneous Solutions
![Page 18: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/18.jpg)
Homogeneous Authority DomainsHomogeneous Authority Domains
Communication SecurityCommunication Security• IPSECIPSEC• SSL (requires server changes)SSL (requires server changes)• Bogus Notifications (Traffic Analysis)Bogus Notifications (Traffic Analysis)
Some Faith can be Put into SoftwareSome Faith can be Put into Software Simple Authentication Tokens Can be UsedSimple Authentication Tokens Can be Used Multilevel/Multilateral Security PossibleMultilevel/Multilateral Security Possible
• Military ApplicationsMilitary Applications
![Page 19: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/19.jpg)
Heterogeneous Authority DomainsHeterogeneous Authority Domains
Users Cannot Trust NetworkUsers Cannot Trust Network• Unknown RecipientsUnknown Recipients• Unknown ServersUnknown Servers
Network Cannot Trust Users OR NetworkNetwork Cannot Trust Users OR Network• Publications/Subscriptions Valid?Publications/Subscriptions Valid?• Unknown 3rd Party Server Behavior Unknown 3rd Party Server Behavior
![Page 20: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/20.jpg)
User Land ModelsUser Land Models
Accept Subscriptions and Publications as Accept Subscriptions and Publications as Public DomainPublic Domain• Subscriptions can be Obfuscated to a Certain Subscriptions can be Obfuscated to a Certain
DegreeDegree Encrypted MessagesEncrypted Messages Signed MessagesSigned Messages
![Page 21: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/21.jpg)
Problems with Encrypted Problems with Encrypted NotificationsNotifications
Decreased Routing PerformanceDecreased Routing Performance• 100% Content Confidentiality Results in an 100% Content Confidentiality Results in an
Unroutable MessageUnroutable Message
![Page 22: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/22.jpg)
User Land Security ModelsUser Land Security Models(Client/Client)(Client/Client)
Protects DataProtects Data Anonymity IssuesAnonymity Issues Key Management/Revocation IssuesKey Management/Revocation Issues Scaling IssuesScaling Issues
• OrganizationOrganization No Additional Load on ServersNo Additional Load on Servers
![Page 23: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/23.jpg)
User Land Security ModelsUser Land Security Models(Client/PKI/Client)(Client/PKI/Client)
Maintains Anonymity Between Publishers and Maintains Anonymity Between Publishers and SubscribersSubscribers
No Additional Load on ServersNo Additional Load on Servers Multiple PKI’s can be in PlaceMultiple PKI’s can be in Place Billing Can be Based on Key ManagementBilling Can be Based on Key Management PKI Management IssuesPKI Management Issues
• Initial Key DistributionInitial Key Distribution
Closed-PKI, “(Public Key) Infrastructure”
![Page 24: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/24.jpg)
Server ModelsServer Models
Trusted GatewaysTrusted Gateways Authenticated Publications/SubscriptionsAuthenticated Publications/Subscriptions
• Loss of AnonymityLoss of Anonymity• Foreign Networks Still a ProblemForeign Networks Still a Problem
AuditAudit• Loss of AnonymityLoss of Anonymity
![Page 25: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/25.jpg)
Main ProblemMain Problem
Specifying a Security Model Without a Well Specifying a Security Model Without a Well Defined Environment Will Result in Many Defined Environment Will Result in Many ProblemsProblems
![Page 26: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/26.jpg)
DirectionsDirections
SSL Aware Communication LayerSSL Aware Communication Layer• EncryptionEncryption• AuthenticationAuthentication
IPSEC Between ServersIPSEC Between Servers• Clients if System is HomogeneousClients if System is Homogeneous
Trusted GatewaysTrusted Gateways
![Page 27: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/27.jpg)
Trusted GatewaysTrusted Gateways
Tunnel Flagged Messages (Encrypted) to Tunnel Flagged Messages (Encrypted) to Remote Trusted NetworksRemote Trusted Networks
Unflagged Messages Forwarded BlindlyUnflagged Messages Forwarded Blindly Rate Limit Unflagged MessagesRate Limit Unflagged Messages Minimize Need for Obfuscated PublicationsMinimize Need for Obfuscated Publications Permits Large Public SIENA BackbonesPermits Large Public SIENA Backbones
![Page 28: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/28.jpg)
Parting Comments On Securing Parting Comments On Securing SIENASIENA
All Users are Equal in SIENAAll Users are Equal in SIENA• Concept of Users and Permissions/Roles Concept of Users and Permissions/Roles
Needs to be Introduced.Needs to be Introduced.
![Page 29: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/29.jpg)
Trusted GatewaysTrusted Gateways
TGW TGW
![Page 30: Securing Content Based Routing Publish-Subscribe Systems](https://reader030.vdocuments.mx/reader030/viewer/2022032708/56812a9d550346895d8e5acf/html5/thumbnails/30.jpg)
Q&A Time :)Q&A Time :)