A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

Security Issues In Mobile IP

SAVI Requirements and Solutions for ISP IPv6 Access Network ISP-access-01.txt.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Secure Mobile IP Communication

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

IPv6 Source Address Validation and IETF Efforts Jun Bi CERNET/Tsinghua University APAN 26 August, 2008.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

IPv6 Network Security.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

A Survey of Secure Wireless Ad Hoc Routing

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

1 Representing Identity CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 19, 2004.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Computer Security and Penetration Testing

8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 Chapter Overview Installing the TCP/IP Protocols Configuring TCP/IP.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

CSCE 715: Network Systems Security

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Final Review. The exam Two double-sided letter size cheating sheets allowed Closed book, closed note McMaster calculator allowed Types of questions: –

23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

IPSEC : KEY MANAGEMENT PRESENTATION BY: SNEHA A MITTAL(121427)

© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.

Module 2: Allocating IP Addressing by Using Dynamic Host Configuration Protocol (DHCP)

Packet-Marking Scheme for DDoS Attack Prevention

Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.

A Source Address Validation Architecture (SAVA) and IETF SAVI Working Group Jun Bi Tsinghua University/CERNET Oct 20, 2008.

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Mapping IP Addresses to Hardware Addresses Chapter 5.

Bloom Cookies: Web Search Personalization without User Tracking Authors: Nitesh Mor, Oriana Riva, Suman Nath, and John Kubiatowicz Presented by Ben Summers.

Linux Operations and Administration

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Network Layer Security Network Systems Security Mort Anvari.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.

Cryptography CSS 329 Lecture 13:SSL.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.

Defending Against DDoS

Internet Protocol Version4

DDoS Attack Detection under SDN Context

ITIS 6167/8167: Network and Information Security

Outline The spoofing problem Approaches to handle spoofing

Presentation transcript:

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown, New Zealand Aug 4, 2008

Outline Background of IP Spoofing Related Work CSA Mechanism Evaluation and Experiment

1 Background of IP Spoofing Attackers can easily use deliberately or randomly set source address to send packets. Such packets can be used in various network attacks, e.g., SYN flooding, Smurf, Man-In-The- Middle. When an attacker uses IP spoofing, it will be very hard to trace him. According to the observation of CAIDA, there are at least 4000 spoofing attacks per week.

An Example of IP Spoofing Attack Spoof Source Address= Amplified Response

2 Related Works There are three kinds of prevention methods – Filtering on path – End-to-End Authentication – Traceback Filtering in the access network belongs to Filtering on path. It filters spoofing packets nearest to their source, and limits the damage of these packets to the minimum.

Access Network Mechanisms Ingress Filtering – Effective but has coarse granularity IP Source Guard – For IPv4 only – Cannot be used in a network without switch Signature Based Authentication – Only allow user to have a fixed address – Need PKI to authenticate the identity of user

3 CSA Mechanism Outline – Summary of Requirements – Overview of Procedure – New Ideas

Summary of Requirements for A IPv6 Access Network Mechanism Host level filtering granularity Light-weight in both deployment and authentication Suit All Address Assignment Methods in IPv6 – Stateless Autoconfiguration – DHCP – Manual Configuration – Cryptographically – Private Allow an interface to be assigned multiple addresses

Overview of Procedure Phase1: Address Authorization (5 steps) (4) Check whether identifier H can use the required address A (3) Im H and I require to use address A (5) Return a signature seed for future authentication (2) An identifier is used to show the applicant is H (1) Prepare an address A

Overview of Procedure Phase2: Address Authentication Add Signature Check Signature and Remove it Generate Signature based on signature seed

New Ideas Phase 1: Address Authorization – Use Host Identifier to achieve host level granularity – Router authorizes the request address based on the knowledge of address assignment Phase 2: Address Authentication – Light-weight signature generation Pseudo Random Number Generation – Light-weight signature adding and removal Address Rewrite

Host Identifier Host generates a public key pair first. For anonymity address owner (DHCP,SAC,CGA,Privacy), identifier = hash(Public Key) [Described in CGA] For any address Assignment mechanism involving manual configuration, identifier = hash(Public Key + Share Secret ). The Share Secret is a bit string allocated to the host with address by network administrator. The identifier must appear with the public key and a signature on the whole packet computed by the private key. And the packet must contain a nonce to prevent replay attack. Attacker can get the identifier and the public key by sniffer, but cannot generate a correct signature.

Authorization on the Knowledge of Address Assignment The knowledge of address assignment: – Manual Configuration: Re-compute the identifier using the shared secret of the address owner. – SAC/Privacy/CGA: The address has not been registered by another node. In CGA case, the request address must be a correct CGA address computed on the public key. – DHCP: The identifier in the request packet must be the one which has been used to apply address from DHCP server. [See next page]

Address Allocation in DHCP Case Source address set to the CGA identifier Record the CGA identifier Record the address allocated. Bind the identifier and the address. DHCP Solicitation

Light-weight Signature Generation Signature Generation – Fixed Signature Not secure in access network – HMAC Mature and secure, but need computation on each packet – Pseudo Random Number (Preference) Generate a sequence of signature on the signature seed using a pseudo random number generation algorithm Loop: – Get the first signature from the sequence – Add the signature into the packet, send packet – Remove the signature from the sequence No computation on packet, fast

Light-weight Signature Adding and Removal The position to place signature in the packet – IPSEC Authentication Header – A new option header (e.g. Hop-by-hop) – In source address field and use Address Rewrite The signature is used as local address, The router rewrites it with the authorized address Save the cost of memory copy and locating header)

Traditional Signature Mechanism Packet Locate the option header Packet Signature Locate Send Process Packet Signature Receive Process Packet addRemove

Address Rewrite Escape the memory copy and option header location Packet Send ProcessReceive Process Packet Rewrite the source address field to the source address Change the source address field to be the signature Packet Mapping table from signature to address

4 Implement and Experiment The host module is implemented as a program on a Linux PC. The router module is implemented as an element of Click Router. The demo can work with Stateless Autoconfiguration, Manual Configuration and CGA. Currently we use pseudo random number signature generation algorithm.

Experiments Before Deployment After Deployment

Thank You!