patterns in network architecture: a new proposals for security
TRANSCRIPT
AAA
A
A
A
PATTERNS IN NETWORK ARCHITECTURE:
NEW PROPOSALS FOR SECURITY
AAA
A
A
A
NAMES
MANY PROPOSALS HAVE A SEPARATION OF IDENTIFIERS AND LOCATORS
PROPOSAL IDENTIFIERS LOCATORS
AIP Endpoint Identifier(EID)
[AD, EID], where AD is anAdministrative Domain
ILNP+IPv6 lower 64 bits of address all 128 bits of address
MobilityFirst Globally Unique Identifier(GUID)
[NA, GUID], where NA isa Network Address
NUTSS (user, domain, service)triple
IP addresses
which is goodfor mobility
which must beroutable
AAA
A
A
A
NAMES
MANY PROPOSALS with A SEPARATION OF IDENTIFIERS AND LOCATORS
also have LOCATOR = NETWORK + IDENTIFIER
PROPOSAL IDENTIFIERS LOCATORS
AIP Endpoint Identifier(EID)
[AD, EID], where AD is anAdministrative Domain
ILNP+IPv6 lower 64 bits of address all 128 bits of address
MobilityFirst Globally Unique Identifier(GUID)
[NA, GUID], where NA isa Network Address
this is convenient, but comes with some cost:
addressing inside a network must be “flat”, becauseaddresses are not chosen by the network
there is a risk of collisions, unlimited identifier minting
AAA
A
A
A
SELF-CERTIFYING IDENTIFIERS
MANY PROPOSALS with A SEPARATION OF IDENTIFIERS AND LOCATORS
also have LOCATOR = NETWORK + IDENTIFIER
and SELF-CERTIFYING IDENTIFIERS
PROPOSAL IDENTIFIERS LOCATORS
AIP Endpoint Identifier(EID)
[AD, EID], where AD is anAdministrative Domain
MobilityFirst Globally Unique Identifier(GUID)
[NA, GUID], where NA isa Network Address
S
these designs havealready paid the cost offlat identifiers
identifiers are hashesof public keys
public key needs tobe 2K bits
AIP EID is 160 bits
network namesare alsoself-certifying,for securerouting
with a challenge/response,anyone can check that a nodeis using its own identifier
there is no need to rely on atrusted global authority
AAA
A
A
A
FINDING AND MOBILITY
PROPOSAL
AIP DNS DNS
ILNP+IPv6 DNS DNS
MobilityFirst GNS (a bigger DNS,which is necessarybecause every hostwill have a GUID)
NUTSS for name-routed signaling DNSfinds P-box of domain, whichroutes to endpoint; if name-routed signaling is successful, itsupplies locator
MAP FROM HUMAN-READABLENAME TO IDENTIFIER
MAP FROM IDENTIFIERTO LOCATOR
when a host is mobile, it updates itslocator in DNS; because identifier
is self-certifying, DNS can trust update
GNSGNS shouldalso benefit
from self-certifyinglocation update
identifiers are human-readable
AAA
A
A
A
PROTECTION AGAINST SOURCE SPOOFING
ONLY AIP EXPLAINS IT, ALTHOUGH MobilityFirst HAS THE RIGHT KIND OF NAMES
source = [AD, EID] source = [AD, EID]
challenge: send nonce n
response:send [K+, K-(n)]
routerrouter
router forwards if
hash (K+) = EID, and
K+ (K- (n)) = n
router forwardsif j is the interface
where it sends packetsto AD (“unicast
reverse path forwarding”)
j
so protection relies on a chainof trustworthy routers, althoughthe AIP paper itself says youcan’t trust other networks’routers to be diligent in this way(?)
alternatively, any node can repeat the challenge/response
AAA
A
A
A
PROTECTION AGAINST DENIAL OF SERVICE
firewall. . .source
MUST FILTER OUTBAD TRAFFIC
MUST RECOGNIZE BAD TRAFFICWITH LITTLE EFFORT
because otherwise theattacker has already won
note, however, that there can be stages of defense,e.g., IDS diagnoses suspicious sources, which arethen blocked
THIS REQUIRES A . . .
however, a firewall cannot beconfigured with flat identifiers!
simply because there is noaggregation, so the schemeis not scalable
this is an opinionfrom the NUTSSpaper, but I don’tsee anything wrong with it
AIP and MobilityFirstpapers do notmention firewalls
AIP paper says thata victim can send ashutoff message toan attacker, . . .
. . . on which asmart NIC will stopthe attack, . . .
. . . which does notsound veryreassuring
AAA
A
A
A
policy-free
core network
edge networks withpolicies and firewalls
each edge network hasdomains and policy boxes (P-boxes)
hostA
hostB
(A, atlanta.com, service) wishes to connect to (B, biloxi.net, service)
registration registration
PROTECTION AGAINST DENIAL OF SERVICE IN NUTSS 1
AAA
A
A
A
policy-free
core networkhost
A
hostA
hostB
hostB
(A, atlanta.com, service) wishes to connect to (B, biloxi.net, service)
this request is transmitted through an overlay network
host A sendsto its P-box
atlanta.com biloxi.netchicago.org
P-box looks up biloxi.net in DNS,is routed to chicago.org along the way
at every P-box along the way,request is filtered by policiesthat match three-tuple name
PROTECTION AGAINST DENIAL OF SERVICE IN NUTSS 2
AAA
A
A
A
hostA
hostA
hostB
hostB
atlanta.com biloxi.netchicago.org
note that every P-box is associated with the firewall guarding its network
if the overlay handshake succeeds, both endpointsget a five-tuple that can be used in the Internetunderlay, and cryptographic tokens for passingthrough the firewalls (each P-box provides atoken for its own firewall)
PROTECTION AGAINST DENIAL OF SERVICE IN NUTSS 3
AAA
A
A
A
NUTSS SUMMARY
DOS PROTECTION
in the overlay, requests can beaggregated and filtered, withwildcards in any position of thethree-tuple
in the open Internet, firewalls canbe used as usual, with somepackets getting a free pass
caution:how many valid tokens are
there for a firewall to remember?
NUTSS is far more complicated than shown here, hopefully forgood reason (and it could use amuch better explanation, but thedetails are appreciated)
SIMILAR PROPOSALS
NEBULA uses the same approachof setting up a connection witha separate signaling path, but givesno details (not even about naming!)
the NUTSS overlay is similar to SIP(in fact, it is implemented usingSIP)
big difference is that NUTSSsignaling and data paths must besimilar
SIP is explicitly designed to have“signaling-media separation” (seethe SIP trapezoid)
so even if SIP proxies cooperatedwith firewalls, they could not helpmedia packets traverse firewalls(and, in general, they cannot)
AAA
A
A
A
INTER-DOMAIN ROUTING
AIP, MobilityFirst, NUTSS (and probablymany others) recommend routing interms of Autonomous Domains, not IPprefixes
if the name of the AD is self-certifying,this is clearly good for routing security
inter-domain routing to ADs clearlymakes sense when an AD is atopologically united subnetwork
does it also make sense for large,widespread AD?
there seems to be a notionthat networks form a hierarchy,like switches in a data center
the AIP paper reports on experimentsindicating that the diameter of the networkwill not increase, AD routing works
both AIP and MobilityFirst consider lists ofAD in addresses, which reminds me ofcompound sessions!
AAA
A
A
A
NEW PROPOSALS FOR SECURITY
WHICH ONE WOULD YOU BUY?
IT MIGHT BE NICE TO USECOMPOSITION TO CREATE AVARIETY OF ALTERNATIVES