Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego.

Slides:

Advertisements

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Advertisements

Privacy-Preserving Attribution and Provenance UC San Diego & University of Washington Alex C. Snoeren & Yoshi Kohno, PIs Stefan Savage, Amin Vahdat, Geoff.

Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.

Internet Protocol Security (IP Sec)

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

1 Steve Chenoweth Tuesday, 10/18/11 Week 7, Day 2 Right – One view of the layers of ingredients to an enterprise security program. From

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

Secure Routing in Ad Hoc Wireless Networks

Slides of the course was made by TAs of this and previous semesters 1 Internet Networking Spring 2002 Tutorial 1 Subnets, Proxy ARP.

K. Salah1 Security Protocols in the Internet IPSec.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

Internet Security - Farkas1 CSCE 813 Midterm Topics Overview.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

1 Virtual Private Network (VPN) Course: COSC513 Instructor: Professor M. Anvari Student: Xinguang Wang.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.

Lecture 6 Page 1 Advanced Network Security Review of Networking Basics Advanced Network Security Peter Reiher August, 2014.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Firewall Security.

Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.

Virtual Private Network. VPN In the most basic definition, VPN is a connection which allows 2 computers or networks to communicate with each other across.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

EN Spring 2016 Lecture Notes FUNDAMENTALS OF SECURE DESIGN (NETWORK TOPOLOGY)

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

Practice Test Questions QUESTION 1 Which two actions must you perform to enable and use window scaling on a router? (Choose two.) A. Execute the.

How the internet works By Tom and Josh.

Virtual Private Network

Encryption and Network Security

Prince Mohammad Bin Fahd University

Chapter 18 IP Security  IP Security (IPSec)

IT443 – Network Security Administration Instructor: Bo Sheng

Lec 5 Layers Computer Networks Al-Mustansiryah University

Packet Sniffing.

* Essential Network Security Book Slides.

Virtual Private Networks

Outline Using cryptography in networks IPSec SSL and TLS.

Lecture 10: Network Security.

Outline Network characteristics that affect security

Outline The spoofing problem Approaches to handle spoofing

Presentation transcript:

Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego

Historical context I I n the beginning... it was amazing the net worked at all. Everyone was a good actor.

Existing Internet design Focused on universal connectivity IP address Identifiers purely for the purpose of connectivity Dst address for routing, Src to identify destination for replies Strictly voluntary Actively trying to introduce homogeneous substrate Unbound usage model Security not a significant consideration in the network layer; trust everyone equally Cryptography expensive relative to transport Cryptographic abstractions limited True when IPSec designed also

What has changed? Many users/providers dont want homogeneity Most src addresses today are NATed We want to limit who can talk to whom Huge growth in criminal activity 10s of millions of compromised machines Sophisticated abuse of network layer

Problems Network architecture provides how Security questions are mainly about who and what Ad hoc, brittle mappings between two Firewalls (address, port) Ingress/egress filtering DDoS filtering (ttl hack, blackholing, etc) Key issue Cant count on src address being correct or global Even if it is correct only represents existence of endpoint

Worth rethinking… How might we design packet identifiers to provide useful attribution? Attribution – working definition: The act of linking identity with action Uses Authentication: who wants to do that? Access control Situational awareness: who is doing that now? Operational response (e.g. filtering DDoS, BotNet C&C) Forensics: who did that in the past? Investigatory, evidentiary

Design options Meaning of identifier Network attribute IP address: topological endpoint Path: topological route (StackPI) Physical attribute Location: place packet sent from (used today in payment sys) Originator: machine packet sent from User attribute Capability: right to access something Principal: evidence of individual Scope of identifier (local, global, in-between) Who can interpret (anyone, trusted party, hybrid)

New opportunity Crypto has advanced significantly Many operations are comparatively cheap now 10s of microseconds Line-rate hardware implementations feasible Completely new kinds of cryptography Groups, aggregates, append-only, IBE, Attribute- based crypto, homomorphic crypto, broadcast systems, etc Its not just encrypt, hash and sign anymore… New tools provide new design opportunities

Remaining agenda Revisiting the Cryptographic toolbox (Boneh) Local identifiers for access control (Casado) Global identifiers for forensics (Savage)

Attribution To whom