from protecting protocols to layers: designing ...€¦ · layers: designing, implementing and...
TRANSCRIPT
![Page 1: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/1.jpg)
From protecting protocols to layers: security policies in RINA
From protecting protocols to layers: designing, implementing and experimenting with security
policies in RINA
Eduard Grasa (presenter), Ondrej Lichtner, Ondrej Rysavy, Hamid Asgari, John Day, Lou Chitkushev
FP7 PRISTINE ICC 2016, Kuala Lumpur, May 24th 2016
![Page 2: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/2.jpg)
WHATISRINA?1
2
![Page 3: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/3.jpg)
RINA highlights
• Network architecture resulting from a fundamental theory of computer networking
• Networking is InterProcess Communication (IPC) and only IPC. Unifies networking and distributed computing: the network is a distributed application that provides IPC
• There is a single type of layer with programmable functions, that repeats as many times as needed by the network designers
• All layers provide the same service: instances or communication (flows) to two or more application instances, with certain characteristics (delay, loss, in-order-delivery, etc)
• There are only 3 types of systems: hosts, interior and border routers. No middleboxes (firewalls, NATs, etc) are needed
• Deploy it over, under and next to current networking technologies
1
2
3
4
5
6
3
![Page 4: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/4.jpg)
From the “TCP/IP” protocol suite …
• Functional layers organized for modularity, each layer provides a different service to each other – As the RM is applied to the real world, it proofs to be
incomplete. As a consequence, new layers are patched into the reference model as needed (layers 2.5, VLANs, VPNs, virtual network overlays, tunnels, MAC-in-MAC, etc.)
(Theory) (Prac.ce)
4
![Page 5: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/5.jpg)
… to the RINA architecture Single type of layer, consistent API, programmable policies
Host
Borderrouter InteriorRouter
DIF
DIF DIF
Borderrouter
DIFDIF
DIF(DistributedIPCFacility)
Host
AppA
AppB
ConsistentAPIthrough
layers
IPCAPI
DataTransfer DataTransferControl LayerManagement
SDUDelimiNng
DataTransfer
RelayingandMulNplexing
SDUProtecNon
RetransmissionControl
FlowControl
RIBDaemon
RIB
CDAPParser/Generator
CACEP
Enrollment
FlowAllocaNon
ResourceAllocaNon
RouNng
AuthenNcaNon
StateVectorStateVectorStateVector
DataTransferDataTransfer
RetransmissionControl
RetransmissionControl
FlowControlFlowControl
IncreasingNmescale(funcNonsperformedlessoUen)andcomplexity
NamespaceManagement
SecurityManagement
5
![Page 6: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/6.jpg)
Deployment Clean-slate concepts but incremental deployment
Large-scale RINA Experimentation on FIRE+ 6
• IPv6 brings very small improvements to IPv4, but requires a clean slate deployment (not compatible to IPv4)
• RINA can be deployed incrementally where it has the right incentives, and interoperate with current technologies (IP, Ethernet, MPLS, etc.) – Over IP (just like any overlay such as VXLAN, NVGRE, GTP-U, etc.) – Below IP (just like any underlay such as MPLS or MAC-in-MAC) – Next to IP (gateways/protocol translation such as IPv6)
IP Network
RINA Provider
RINA Network
Sockets ApplicationsRINA supported Applications
IP or Ethernet or MPLS, etc
![Page 7: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/7.jpg)
PROPERTIESOFRINADESIGNCONTRIBUTINGTOSECURITY2
7
![Page 8: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/8.jpg)
Protecting layers instead of protocols All layers have the same consistent, security model
8
• Benefits of having an architecture instead of a protocol suite: the architecture tells you where security related functions are placed.
– Instead of thinking protocol security (BGPsec, DNSsec, IPsec, TLS, etc.), think security of the architecture: no more ‘each protocol has its own security’, ‘add another protocol for security’ or ‘add another box that does security’
OperaNngontheIPCP’sRIB
Accesscontrol
Sending/receivingPDUsthroughN-1DIF
Confiden.ality,integrity
NDIF
N-1DIF
IPCProcess
IPCProcess
IPCProcess
IPCProcess JoiningaDIF
authen.ca.on,accesscontrol
Sending/receivingPDUsthroughN-1DIF
Confiden.ality,integrity
OperaNngontheIPCP’sRIB
Accesscontrol
IPCProcess
Appl.Process
Accesscontrol(DIFmembers)
Confiden.ality,integrity
Authen.ca.on
AccesscontrolOpera.onsonRIB
DIFOperaNonLogging
DIFOperaNonLogging
![Page 9: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/9.jpg)
Separation of mechanism from policy
9
IPCAPI
DataTransfer DataTransferControl LayerManagement
SDUDelimiNng
DataTransfer
RelayingandMulNplexing
SDUProtecNon
RetransmissionControl
FlowControl
RIBDaemon
RIB
CDAPParser/Generator
CACEP
Enrollment
FlowAllocaNon
ResourceAllocaNon
RouNng
AuthenNcaNon
StateVectorStateVectorStateVector
DataTransferDataTransfer
RetransmissionControl
RetransmissionControl
FlowControlFlowControl
NamespaceManagement
SecurityManagement
• All layers have the same mechanisms and 2 protocols (EFCP for data transfer, CDAP for layer management), programmable via policies.
• Don’t specify/implement security protocols, only security policies – Re-use common layer structure, re-use security policies across layers
• This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level – Complexity is the worst enemy of security (B. Schneier)
Authen.ca.on
Accesscontrol(layermgmtopera.ons)
Accesscontrol(joiningtheDIF)
Coordina.onofsecurityfunc.ons
Confiden.ality,Integrity
![Page 10: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/10.jpg)
Separation of mechanism from policy
10
IPCAPI
DataTransfer DataTransferControl LayerManagement
SDUDelimiNng
DataTransfer
RelayingandMulNplexing
SDUProtecNon
RetransmissionControl
FlowControl
RIBDaemon
RIB
CDAPParser/Generator
CACEP
Enrollment
FlowAllocaNon
ResourceAllocaNon
RouNng
AuthenNcaNon
StateVectorStateVectorStateVector
DataTransferDataTransfer
RetransmissionControl
RetransmissionControl
FlowControlFlowControl
NamespaceManagement
SecurityManagement
• All layers have the same mechanisms and 2 protocols (EFCP for data transfer, CDAP for layer management), programmable via policies.
• Don’t specify/implement security protocols, only security policies – Re-use common layer structure, re-use security policies across layers
• This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level – Complexity is the worst enemy of security (B. Schneier)
Authen.ca.on
Accesscontrol(layermgmtopera.ons)
Accesscontrol(joiningtheDIF)
Coordina.onofsecurityfunc.ons
Confiden.ality,Integrity
Source:J.Smallmasterthesis
![Page 11: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/11.jpg)
Scope as a native construct Recursion provides isolation
• Size each DIF to the scope supported applications need – Only allow those that really need to connect to the apps
• No need for extra tools to do that: scope is built-in – DIFs are securable containers, no need for firewalls
11
Internet(TCP/IP) RINA
Defaultmodel Globalconnec.vity Controlledconnec.vity
Controlscopevia Firewalls,ACLs,VLANs,VirtualPrivateNetworks,etc..
Scopena.veconceptinarchitecture(DIF)
Example:Provider’snetworkinternallayershiddenfromcustomersandotherproviders
![Page 12: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/12.jpg)
Separating port allocation from sync. Complete application naming
• With app-names no need for well-known ports. Port-ids of local scope (not in protocol headers)
• CEP-ids (in protocol headers) dynamically generated for each flow
12
IPCPPA
AppA
Port-id
read/write 1
EFCPinstance,cep-id
8736
IPCPPA
AppB
Port-id
read/write
4
EFCPinstance,cep-id
9123
SynchronizaBon
• Well-known ports used to identify app endpoints; statically assigned. @s exposed to apps.
• Ports used also to identify TCP instances (in protocol headers). Attacker only needs to guess source port-id
RINA TCP/IPIP@:12
Portread/write 12
TCPinstance,port
12
IP@:78
Portread/write
78
TCPinstance,port
78
TCPPMA
TCPPMA
![Page 13: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/13.jpg)
DESIGNANDEXPERIMENTATIONWITHSECURITYPOLICIES3
13
![Page 14: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/14.jpg)
Customernetwork
InteriorRouter
CustomerBorderRouter
InteriorRouter Border
Router
P2P DIF
InteriorRouter
P2P DIF
BorderRouter
P2P DIF P2P DIF
InteriorRouter
BorderRouter
Provider1BackboneDIF
P2P DIF
BorderRouter
Provider1RegionalDIF
MulN-providerDIF
P2P DIF
AccessDIF
P2P DIF P2P DIF
Provider1network
Provider2network
IPCPA
IPCPB
IPCPC
P2P DIF P2P DIF
IPCPD
• DIFs are securable containers, strength of authentication and SDU Protection policies depends on its operational environment
• DIFs shared between provider/customer (blue DIF) may require strong authentication and encryption, specially if operating over wireless (red DIF)
• DIFs internal to a provider may do with no auth.: accessing the DIF requires physically compromising the provider’s assets (green and orange DIFs).
BorderRouter
Authentication and SDU protection policies
![Page 15: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/15.jpg)
Authentication policy: SSH2-based (I)
• Once applications (including IPCPs) have a flow allocated, go through application connection establishment phase – Negotiate app protocol (CDAP) version, RIB version, authenticate
• Specified authentication policy based on SSH2 authentication (uses per IPCP public/private RSA key pairs), adapted to the RINA environment
15
![Page 16: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/16.jpg)
Authentication policy: SSH2-based (II)
16
![Page 17: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/17.jpg)
Crypto SDU protection policy
• Crypto policy that encrypts/decrypts PCI and payload of EFCP PDUs – In general SDU protection is used by a DIF to protect its own data
(PCIs of data transfer PDUs and full layer management PDUs)
• Not assuming N-1 DIF will provide reliable and in-order-delivery -> using counter mode (as in IPsec) – AES128 and AES256 as supported encryption algorithms
• HMAC code to protect integrity of PDU – SHA256 chosen as hash algorithm
17
12
IPCPPA
IPCPPA
N-1flow
SDUProtecBon
SDUProtecBoncounter Encrypteddata HMAC
![Page 18: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/18.jpg)
Experimentation with IRATI
18
ProviderBorderRouter1
ProviderBorderRouter2
CustomerBorderRouter
ShimDIFoverEth ShimDIFoverEth
IPCPA
IPCPB
access.DIF IPCPC
IPCPD
regional.DIF
IPCPE
IPCPF
IPCPG
mulB-provider.DIF
Customernetwork
Providernetwork
Experimentalscenario
• IRATI is an open source, programmable implementation of RINA for Linux, written in C/C++
• Implemented plugins with authSSH2 auth. and SDU protection policies
![Page 19: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/19.jpg)
ONGOINGRINAINITIATIVES4
19
![Page 20: From protecting protocols to layers: designing ...€¦ · layers: designing, implementing and experimenting with security policies in RINA Eduard Grasa (presenter), Ondrej Lichtner,](https://reader030.vdocuments.us/reader030/viewer/2022040616/5f136f9f3364876d2061d178/html5/thumbnails/20.jpg)
Research, open source, standards • Current research projects
– FP7 PRISTINE (2014-2016) http://ict-pristine-eu – H2020 ARCFIRE (2016-2017) http://ict-arcfire.eu – Norwegian project OCARINA(2016-2021) – BU RINA team http://csr.bu.edu/rina
• Open source implementations – IRATI (Linux OS, C/C++, kernel components, policy framework, RINA
over X) http://github.com/irati/stack – RINASim (RINA simulator, OMNeT++) – ProtoRINA (Java, RINA over UDP, quick prototyping)
• Key RINA standardization activities – Pouzin Society (experimental specs) http://pouzinsociety.org – ISO SC6 WG7 (2 new projects: Future Network – Architectures, Future
Network- Protocols) – ETSI Next Generation Protocols ISG
1
2
3
4
1
2
3
1
2
3
20