a cga based source address authentication method in ipv6 access network(csa) guang yao, jun bi and...
TRANSCRIPT
![Page 1: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/1.jpg)
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA)
Guang Yao, Jun Bi and Pingping LinTsinghua University
APAN26Queenstown, New Zealand
Aug 4, 2008
![Page 2: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/2.jpg)
Outline
• Background of IP Spoofing• Related Work• CSA Mechanism• Evaluation and Experiment
![Page 3: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/3.jpg)
1 Background of IP Spoofing
• Attackers can easily use deliberately or randomly set source address to send packets.
• Such packets can be used in various network attacks, e.g., SYN flooding, Smurf, Man-In-The-Middle.
• When an attacker uses IP spoofing , it will be very hard to trace him.
• According to the observation of CAIDA, there are at least 4000 spoofing attacks per week.
![Page 4: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/4.jpg)
An Example of IP Spoofing Attack
Spoof Source Address=10.10.1.1
Amplified Response
Amplified Response
![Page 5: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/5.jpg)
2 Related Works
• There are three kinds of prevention methods– Filtering on path– End-to-End Authentication– Traceback
• Filtering in the access network belongs to “Filtering on path”. It filters spoofing packets nearest to their source, and limits the damage of these packets to the minimum.
![Page 6: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/6.jpg)
Access Network Mechanisms
• Ingress Filtering– Effective but has coarse granularity
• IP Source Guard– For IPv4 only– Cannot be used in a network without switch
• Signature Based Authentication– Only allow user to have a fixed address– Need PKI to authenticate the identity of user
![Page 7: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/7.jpg)
3 CSA Mechanism
• Outline– Summary of Requirements– Overview of Procedure– New Ideas
![Page 8: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/8.jpg)
Summary of Requirements for A IPv6 Access Network Mechanism
• Host level filtering granularity• Light-weight in both deployment and authentication• Suit All Address Assignment Methods in IPv6
– Stateless Autoconfiguration– DHCP– Manual Configuration– Cryptographically– Private
• Allow an interface to be assigned multiple addresses
![Page 9: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/9.jpg)
Overview of Procedure• Phase1: Address Authorization (5 steps)
(4) Check whether identifier H can use the required
address A
(3) I’m H and Irequire to use address A
(5) Return a “signature seed” for future authentication
(2) An identifier is used to show the
applicant is H
(1) Prepare an address A
![Page 10: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/10.jpg)
Overview of Procedure
• Phase2: Address Authentication
Add Signature
Check Signature and Remove it
Generate Signature based on “signature
seed”
![Page 11: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/11.jpg)
New Ideas
• Phase 1: Address Authorization– Use Host Identifier to achieve host level granularity– Router authorizes the request address based on the
knowledge of address assignment
• Phase 2: Address Authentication– Light-weight signature generation
• Pseudo Random Number Generation– Light-weight signature adding and removal
• Address Rewrite
![Page 12: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/12.jpg)
Host Identifier• Host generates a public key pair first.• For anonymity address owner (DHCP,SAC,CGA,Privacy),
• identifier = hash(Public Key) [Described in CGA]• For any address Assignment mechanism involving manual
configuration, • identifier = hash(Public Key + Share Secret ).
The Share Secret is a bit string allocated to the host with address by network administrator.
• The identifier must appear with the public key and a signature on the whole packet computed by the private key. And the packet must contain a nonce to prevent replay attack.
• Attacker can get the identifier and the public key by sniffer, but cannot generate a correct signature.
![Page 13: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/13.jpg)
Authorization on the Knowledge of Address Assignment
• The knowledge of address assignment:– Manual Configuration: Re-compute the identifier
using the shared secret of the address owner.– SAC/Privacy/CGA: The address has not been
registered by another node. In CGA case, the request address must be a correct CGA address computed on the public key.
– DHCP: The identifier in the request packet must be the one which has been used to apply address from DHCP server. [See next page]
![Page 14: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/14.jpg)
Address Allocation in DHCP Case
Source address set to theCGA identifier
Record the CGA identifier
Record the address allocated.Bind the identifier and the address. DHCP Solicitation
![Page 15: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/15.jpg)
Light-weight Signature Generation
• Signature Generation– Fixed Signature
• Not secure in access network– HMAC
• Mature and secure, but need computation on each packet– Pseudo Random Number (Preference)
• Generate a sequence of signature on the signature seed using a pseudo random number generation algorithm
• Loop:– Get the first signature from the sequence– Add the signature into the packet, send packet– Remove the signature from the sequence
• No computation on packet, fast
![Page 16: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/16.jpg)
Light-weight Signature Adding and Removal
• The position to place signature in the packet– IPSEC Authentication Header– A new option header (e.g. Hop-by-hop)– In source address field and use Address Rewrite
• The signature is used as local address,• The router rewrites it with the authorized address • Save the cost of memory copy and locating header)
![Page 17: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/17.jpg)
Traditional Signature Mechanism
Packet Packet
Locate the option header
Packet
Packet
Signature
Locate
Send Process
Packet
Packet
Signature
Receive Process
Packet
add Remove
![Page 18: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/18.jpg)
Address Rewrite
• Escape the memory copy and option header location
Packet
Send Process Receive Process
Packet
Rewritethe source address fieldto thesource address
Changethe sourceaddressfield to bethe signature
Packet
Mapping table from signature to
address
![Page 19: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/19.jpg)
4 Implement and Experiment
• The host module is implemented as a program on a Linux PC.
• The router module is implemented as an element of Click Router.
• The demo can work with Stateless Autoconfiguration, Manual Configuration and CGA.
• Currently we use pseudo random number signature generation algorithm.
![Page 20: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/20.jpg)
Experiments
Before Deployment After Deployment
![Page 21: A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,](https://reader033.vdocuments.us/reader033/viewer/2022061306/55148d21550346b0158b5e45/html5/thumbnails/21.jpg)
Thank You!