RMTP-II Security Considerations Brian Whetten GlobalCast Communications.

Slides:

Advertisements

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Computer Security and Penetration Testing

BZUPAGES.COM 1 User Datagram Protocol - UDP RFC 768, Protocol 17 Provides unreliable, connectionless on top of IP Minimal overhead, high performance –No.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

Network Attacks Mark Shtern.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

15-441: Computer Networking Lecture 26: Networking Future.

CS 268: Active Networks Ion Stoica May 6, 2002 (* Based on David Wheterall presentation from SOSP ’99)

School of Information Technologies Internet Multicasting NETS3303/3603 Week 10.

Overlay Network and Data Transmission Over Wireless For EE290T Minghua Chen Berkeley.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Computer Networking Lecture 24 – Multicast.

Design of Efficient and Secure Multiple Wireless Mesh Network Speaker: Hsien-Pang Tsai Teacher: Kai-Wei Ke Date: 2005/06/28.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Security of wireless ad-hoc networks. Outline Properties of Ad-Hoc network Security Challenges MANET vs. Traditional Routing Why traditional routing protocols.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.

Multicast Transport Protocols: A Survey and Taxonomy Author: Katia Obraczka University of Southern California Presenter: Venkatesh Prabhakar.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

Gnutella2: A Better Gnutella?

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Monitoring for network security and management Cyber Solutions Inc.

An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.

Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

TCP/IP Vulnerabilities

Secure routing in wireless sensor network: attacks and countermeasures Presenter: Haiou Xiang Author: Chris Karlof, David Wagner Appeared at the First.

Multicast Routing, Error Control, and Congestion Control.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

A Cost-Based Framework for Analysis of Denial of Service in Networks Author: Catherine Meadows Presenter: Ajay Mahimkar.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Video Multicast over the Internet Presented by: Liang-Yuh Wu Lung-Yuan Wu Hao-Hsiang Ku 12 / 6 / 2001 Bell Lab. And Georgia Institute of Technologies IEEE.

Quality of Information System (IS) reflecting local correctness and reliability of the operating system; the logical completeness of the hardware and software.

Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Ingredients of Security

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

EE689 Lecture 13 Review of Last Lecture Reliable Multicast.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #09: SOLUTIONS Shivkumar Kalyanaraman: GOOGLE: “Shiv.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

Netprog: Chat1 Chat Issues and Ideas for Service Design Refs: RFC 1459 (IRC)

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.

CIS679: RSVP r Review of Last Lecture r RSVP. Review of Last Lecture r Scheduling: m Decide the order of packet transmission r Resource configuration.

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

+ Lecture#8: VLAN Asma AlOsaimi Topics VLAN Segmentation VLAN Implementation VLAN Security and Design 3.0.

Thoughts on the LMAP protocol(s) LMAP Interim meeting, Dublin, 15 th September 2014 Philip Eardley Al Morton Jason Weil 1.

Introduction Wireless devices offering IP connectivity

Zueyong Zhu† and J. William Atwood‡

Multicast Outline Multicast Introduction and Motivation DVRMP.

MZR: A Multicast Protocol based on Zone Routing

Chat Refs: RFC 1459 (IRC).

Congestion Control Reasons:

Computer Networks Protocols

Presentation transcript:

RMTP-II Security Considerations Brian Whetten GlobalCast Communications

Types of Security Concerns Security Level Highest Lowest Mis-Configuration Denial of Service Authentication Access Control Privacy Non-Repudiation Multicast IPSec RMTP-II IP Multicast

RMTP-II Roles  Sender - Sends reliable IP multicast traffic  Top Node (TN) - Provides central control point  Designated Receiver (DR) - ACK Aggregation, Local Retransmission  Receiver - Receives traffic, does not necessarily source multicast packets  Assume: DR’s and TN’s are trusted, others aren’t

Denial of Service Attacks  Denial of Service to a Specific Receiver or Sender  Corruption of Control State  Network Overload  Spurious Retransmission Requests  Sender Transmitting Too Fast  Improperly Scoped Multicast Packets  CPU Exhaustion  Group Membership Change Request Flooding  Memory Exhaustion  Refusal to ACK Packets  Others?

Strong Defense for Denial of Service  Extend Multicast IPSec to provide light-weight group authentication  One key for all DR’s and TN’s in the same trust domain  One key for each sender  One key for all receivers  Otherwise as per Canetti Draft  Still allows valid senders/receivers access to DoS attacks, if they are malicious  Network manager can likely remove or punish user  Still allows brute force DoS attacks  Solved at the IP Level (SEP)

Light Weight Authentication New York Sender Tokyo London ISP Top Node DR Receivers  Different keys, depending on roles  Options: multiple keys for each network trust domain, for each sender  Implemented as part of security architecture Group Controller Server

Weak Defenses for Denial of Service  Check IP Addresses of Control Packet Author Against Local Group List (spoofable)  Helps: Corruption of Control State  Helps: Spurious Retransmission Requests  Helps: Group Membership Change Request Flooding  Bandwidth Limits on Local Retransmissions  Part of Local Recovery Pathology Management  Helps: Spurious Retransmission Requests  Forced Removal of Slow Receivers  Helps: Refusal to ACK Packets  Helps: Spurious Retransmission Requests

Weak Defenses (cont.)  Manual Network Manager Controls  Allows Network Manager to Control Transmission Rates  Could be Extended to Rejecting Senders and Receivers  Helps: Sender Transmitting Too Fast  Helps: Spurious Retransmission Requests  Congestion Control Works With Worst Report  Helps: Sender Transmitting Too Fast  IP Multicast Defenses (pruning, etc.)  Helps: Improperly Scoped Multicast Packets (SEP)  Helps: Sender Transmitting Too Fast

 Top node controls the tree  Gives manager control  App requests QoS  Manager can override  Congestion control works to meet QoS  Top node reports group performance to manager  Manager can adjust parameters on the fly TN Manageability TN The Network Sender Manager DR Receivers

Mis-Configuration  RMTP-II Presently Requires Manual Configuration  Performance Parameters  Tree Topology Configuration  Both Are Topics for Further Research  Concern: Minimize Scope of Configuration Errors  Ideally to the network controlled by that administrator  Tree topology errors typically affect all downstream nodes  Performance parameters are primarily specified per-tree, at the top node, or per-group, specified at the sender  Topic requires further study