Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Slides:

Advertisements

Similar presentations

Accountable Internet Protocol

Advertisements

Network Support for Accountability Nick Feamster Georgia Tech Collaborative Response with David Andersen (CMU), Hari Balakrishnan (MIT), Scott Shenker.

Accountable Internet Protocol David Andersen (CMU) Hari Balakrishnan (MIT) Nick Feamster (Georgia Tech) Scott Shenker (Berkeley)

IP Security Nick Feamster CS 6262 Spring IP Security have a range of application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

Multihoming and Multi-path Routing

Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Improving Internet Availability Network Accountability Architectural foundations for defense against spoofing, route hijacking, etc. Architecture for Market.

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Internet Protocol Security (IP Sec)

1 Data-Oriented Network Architecture (DONA) Scott Shenker (M. Chowla, T. Koponen, K. Lakshminarayanan, A. Ramachandran, A. Tavakoli, I. Stoica)

Chapter 14 – Authentication Applications

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

IP Forwarding Relates to Lab 3.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

1 Link Layer & Network Layer Some slides are from lectures by Nick Mckeown, Ion Stoica, Frans Kaashoek, Hari Balakrishnan, and Sam Madden Prof. Dina Katabi.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec

Inter-domain Routing security Problems Solutions.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

K. Salah1 Security Protocols in the Internet IPSec.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Chapter 22 Network Layer: Delivery, Forwarding, and Routing

1 Accountable Internet Protocol David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker Carnegie Mellon University,

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Information-Centric Networks07c-1 Week 7 / Paper 3 Accountable Internet Protocol (AIP) –Michael Walfish, Hari Balakrishnan and Scott Shenker David G. Andersen,

Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.

25-Oct-15Network Layer Connecting Devices Networks do not normally operate in isolation.They are connected to one another using connecting devices. The.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

Information-Centric Networks06b-1 Week 6 / Paper 2 A layered naming architecture for the Internet –Hari Balakrishnan, Karthik Lakshminarayanan, Sylvia.

SDX: A Software-Defined Internet eXchange Jennifer Rexford Princeton University

Information-Centric Networks06c-1 Week 6 / Paper 3 Middleboxes No Longer Considered Harmful –Michael Walfish, Jeremy Stribling, Maxwell Krohn, Hari Balakrishnan,

Information-Centric Networks Section # 6.3: Evolved Naming & Resolution Instructor: George Xylomenos Department: Informatics.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Information-Centric Networks Section # 7.3: Evolved Addressing & Forwarding Instructor: George Xylomenos Department: Informatics.

Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.

Adam Bender, Neil Spring Dave Levin, Bobby Bhattacharjee University of Maryland, College Park In Proc. USENIX SRUTI, 2007 Speaker: Yun Liaw Accountability.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.

Naming in Content-Oriented Architectures 1. select produce Data publishing RWINameKey Data own certify 2.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

K. Salah1 Security Protocols in the Internet IPSec.

Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

Accountable Internet Protocol David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker

IT443 – Network Security Administration Instructor: Bo Sheng

Goals of soBGP Verify the origin of advertisements

COS 561: Advanced Computer Networks

APNIC Trial of Certification of IP Addresses and ASes

BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)

Networking and Network Protocols (Part2)

IP Forwarding Relates to Lab 3.

Chapter 8 roadmap 8.1 What is network security?

Presentation transcript:

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker

IP Layer Names Dont Have Secure Bindings There are three kinds of IP layer names: IP address, IP prefix, AS number No secure binding of host to its IP addresses No secure binding of AS number to its IP prefixes

Problematic Result: IP Lacks Accountability Any host can spoof any other host No intrinsic support in IP to detect or prevent A network can advertise prefixes arbitrarily Many misconfigs; some examples of ill intent S-BGP requires external mechanisms to bind prefix to AS and AS to public key No intrinsic support in IP to detect or prevent Accountability: Ability to associate action with entity or hold entity responsible for action Basis for security in real-world Foundation for raising level of Internet security

AIP: Accountable Internet Protocol Goal: Intrinsic support for network-layer accountability in the Internet Key idea: New addressing (naming) scheme for networks and hosts Simple protocols that use properties of addressing scheme as foundation Securing BGP, anti-spoofing, targeted traffic throttling (anti-DoS)

AIP Addressing Autonomous domains, each with unique ID (smaller than an AS) AD1 AD2 AD3 Address = AD1:EID Each host has a global EID [HIP, DOA, LISP] AD and EID are self-certifying [ SFS ] flat names AD = hash(public_key_of_AD, other_stuff) Self-certification binds name to named entity AD and EID are self-certifying [ SFS ] flat names AD = hash(public_key_of_AD, other_stuff) Self-certification binds name to named entity If multihomed, has multiple addresses AD1:EID,AD2:EID,AD3:EID AD and EID are self-certifying [ SFS ] flat names AD = hash(public_key_of_AD, other_stuff) Self-certification binds name to named entity AD and EID are self-certifying [ SFS ] flat names AD = hash(public_key_of_AD, other_stuff) Self-certification binds name to named entity

AIP Forwarding and Routing Y:EID AD R AD G AD B AD Y Source Routers in R, G, B use only AD field to forward: route_lookup(Y) Once packet is in AD Y (destination AD), Ys routers: route_lookup(EID) Inter-AD routing uses AD numbers as routing objects: Y: AD path = [B G R]; B: AD path = [G R]; etc. Note absence of prefixes Intra-AD routing disseminates EIDs (many ways possible)

With AIP Addresses, Accountability is Intrinsic (Recall) Ability to associate action with entity or hold entity responsible for action Control-plane accountability improves security of routing protocol (BGP) Source accountability detects spoofing and forgery Also helps throttle traffic from well- intentioned [ Shaw ] compromised hosts Mechanisms borrow ideas from previous work [ S-BGP, uRPF ], but goals achieved more readily

Control-Plane Accountability (for BGP) Origin authentication: Ensure routing prefix being originated by AS X actually belongs to X Path authentication: Ensuring accuracy of AS path S-BGP and soBGP require external infrastructures Routing registry recording prefix ownership PKI (database) mapping AS to its public key In practice, registries notoriously inaccurate With AIP: ADs exchange pub keys via BGP messages Path auth identical to S-BGP (but no PKI) Origin auth achieved just like that (no registry)

Source Accountability: Detecting Spoofing Property 1: When challenged, only entity with AD As private key can prove packet was sent with source address A: Property 2: When challenged, only entity with EID Es private key can prove packet was sent with source address :E Any entity seeing packet can check these two properties using a verification protocol

AIP Verification Protocol Receive pkt w/ src A:E Drop pkt Send nonce to A or E Nonce response must be signed w/ As (or Es) priv key Receive nonce resp Verify signature Add A (or E):iface to accept cache Local AD? N Y N Trust nbhr AD? N Y Accept & forward Y In accept cache? SLA, uRPF, …

AIP Enables Secure Shut-Off Problem: Compromised host X sending stream of unwanted traffic to destination D X is well-intentioned, owner benign [ Shaw ] D = A D :E D sends signed shut-off pkt to X = A X :E X Shut-off = {Ds pub key, hash of recent pkt recd from X by D, TTL} signed by Ds priv key Self-cert address, so D cant shut-off traffic to D Can send shut-offs to hosts or to ADs Shut-off scheme implemented in NIC firmware Immutable by host software (updates require physical access via USB/serial port)

AIP Enables Secure Shut-Off Problem: Compromised host X sending stream of unwanted traffic to destination D X is well-intentioned, owner benign [ Shaw ] D X Shut-off packet signed by D to X: {time, Ds pub key, hash of recent pkt recd from X by D, TTL} Can send shut-offs to hosts or to ADs Shut-off scheme implemented in NIC firmware Immutable by host software (updates require physical access via USB/serial port)

Limitations and Concerns AIP handles spoofing, but what about minting? Any entity can make up self-certified addresses Each AD must control #EIDs per host to protect Any entity can make up routing announcements for non-existent ADs Were studying a few approaches to this problem Key management and compromise? Each AD has master key pair and current key pair; uses master to issue change But AD number and all its addresses must change More concerns in paper: routing scalability wrt state and update volume), traffic engineering, …

Conclusion Q: How to achieve network-layer accountability in an internetwork? A: Self-certifying internetwork addresses AD:EID (AIP) Each field derived from public keys Control-plane (routing) and source (anti- spoofing) accountability are now intrinsic Ideas compose well with other mechanisms for mobility, higher availability, etc.