Presentation is loading. Please wait.

Presentation is loading. Please wait.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne."— Presentation transcript:

1 July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne Columbia University

2 July 2008IETF 72 - NSIS2 Overview of PBS Objective –Preventing Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. Network traffic authorization –A sender has to receive permission from the intended receiver before it injects any packets into the network. –Permission represents the authority to send data. Deny-by-default –In the closed network (all end users have PBS NSLP functionalities) The unauthorized traffic without permission is dropped at the first router by default. –In the open Internet (some end users do not have PBS NSLP functionalities) The traffic from the end users who do not have PBS NSLP functionalities are rate-limited by default.

3 July 2008IETF 72 - NSIS3 Design Overview Distributed system –The permission is granted by the intended receiver of a data flow. –Signaling installs and revokes the permission state of routers for data flows. Stateful system –A subset of routers keeps state for a data flow and monitors whether the flow is authorized. Deployable system –PBS can be applied to current networks. The PBS does not change IP and TCP/UDP packet header. –Existing security protocol is used. IPsec Scalable system –Not all routers need to be aware of PBS. –Reduce computational overhead. Only the data packets from senders who are affected by the attacks use IPsec.

4 July 2008IETF 72 - NSIS4 Design Overview DoS defense mechanism –DoS detection mechanism PBS Detection Algorithm (PDA) can detect DoS attacks. PDA uses signaling messages to monitor the attacks. –Reaction mechanism against DoS attacks Limited permission –Limited permission prevents overflow of data packets. IPsec Authentication Header (AH) –For the authentication and integrity of data packets. Changing data path –To avoid a compromised router that drops legitimate packets.

5 July 2008IETF 72 - NSIS5 Three Components of the PBS NSLP Architecture Path-coupled (on-path) signaling component –Installs and maintains permission state. –Monitors attacks, and triggers reaction mechanism against the attacks. –Authentication of signaling message is protected by IPsec AH. Authorization component –Decides whether to grant permission (amount of data volume) for a flow –Detects and identifies the attack by PDA. –Decides the reaction mechanism against the attacks. e.g., IPsec AH for data packet, changing data flow path Traffic management component –Screens the data packets to see whether the data packets are authorized. –Drops the unauthorized packets using IP packet filter. –Calculates the volume of the data to monitor data flow. –Verifies the authentication of packets.

6 July 2008IETF 72 - NSIS6 PBS NSLP Signaling Message Two-way handshake –Query message Sent by a sender to request permission Requested application is described Rate-limited by proof-of-work –Permission message Sent by a receiver Sets up (grants), removes (revokes) and modifies permission state Triggers reaction mechanism against the attacks Soft-state –The permission state is refreshed periodically by a soft-state mechanism

7 July 2008IETF 72 - NSIS7 PBS Detection Algorithm (PDA) Monitoring DoS attack –Use existing PBS NSLP messages (Query/Permission messages) –Use soft-state mechanism to periodically monitor the data flow Basic operation of PDA –Query message sent by a sender contains the number of bytes that the sender has sent since the permission was granted –The receiver compares the number of bytes in the Query message and the number of bytes that the receiver has actually received –If there is a difference, the signaling message (Permission message) triggers the reaction mechanism

8 July 2008IETF 72 - NSIS8 Back-up slides

9 July 2008IETF 72 - NSIS9 PBS NSLP Architecture PBS NSLP Processing Authorization NTLP (GIST) Processing Traffic Management Control and configuration Data flow Signal flow On-path signaling

10 July 2008IETF 72 - NSIS10 Query Message Message type flag (M) –Set to M=0 to indicate the message is the Query message Flow identifier –Descriptor of data flow –Source IP address, destination IP address, protocol identifier, higher (port) addressing, flow label, SPI field, DSCT/TOS field. Requested volume (RV) –The number of bytes that a sender requests. Volume information (V) –The number of bytes that a sender has sent since the sender received the permission from the intended receiver. –It is used to monitor the DoS attacks. Public key (Ks) –The sender’s public key for the authentication of signaling packets. –An X.509 certificate is used for the digital signature. Cryptography algorithm (C) –Cryptography algorithm to be used for the authentication field in IPsec AH. –C=00: RSA, C=01: DSA, C=10: ECDSA

11 July 2008IETF 72 - NSIS11 Permission Message Message type flag (M) –Set to M=1 to indicate the message is the Permission message Flow identifier Allowed volume (AV) –The number of bytes that a receiver grants a sender for the request. Time limit (TTL) –Time limit for the permission of the data flow. Refresh period (T) –Used for the soft-state of the permission. Solution flags (S) –S=00: No reaction, S=01: IPsec AH with HMAC, S=10: IPsec AH with public key cryptography for the data flow. S=11: The sender needs to change data path. Public key (Kr) –The receiver’s public key for the authentication of signaling packets. –An X.509 certificate is used for the digital signature. Cryptography algorithm (C) –Cryptography algorithm to be used for the authentication field in IPsec AH.

12 July 2008IETF 72 - NSIS12 Basic Operation of PBS NSLP Q (M, FID, RV, V, Ks, C) Sender R1 R2 Receiver T 1 1 2 2 3 3 4 4 5 5 P (M, FID, AV, TTL, T, S, Kr, C) Data flow Signal flow Q (M, FID, RV, V, Ks, C) P (M, FID, AV, TTL, T, S, Kr, C) Q (M, FID, RV, V, Ks, C) P (M, FID, AV, TTL, T, S, Kr, C)

13 July 2008IETF 72 - NSIS13 Basic Operation of PDA Data flow Sender R1 R2R3Receiver A (Attacker spoofing S’s address) T 1 1 2 2 3 3 4 4 5 5 6 6 Data flow (1MB) Attack flow (2MB) Signal flow Query Permission (AV=10MB) Query (V=1MB) Permission (S=10) Query Query (V=1MB) Permission (S=10) Permission (AV=10MB) Detect attack (1MB Vs 3MB)

14 July 2008IETF 72 - NSIS14 Detection of Black Hole Attack T.O. R1 R2 R3Receiver Sender 2 2 1 1 Data flow Signal flow (Attacker, Drop attack) Query Change data flow path

15 July 2008IETF 72 - NSIS15 Detection of Dropping Only Data Packets Data flow Receiver R3R1 Sender Data flow (1MB) 1 1 2 2 3 3 4 4 5 5 R2 Signal flow (Attacker, Drop attack) T Query (V=1MB) Permission (S=11) Query Query (V=1MB) Permission (S=11) Permission (AV=10MB) Data flow (1MB) Detect attack (1MB Vs 0MB)

Download ppt "July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne."

Similar presentations

Computer Security and Penetration Testing

Computer Security and Penetration Testing
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.

IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
© 2004 The MITRE Corporation. All rights reserved DTN Security Susan Symington March 2005 IETF DTN meeting.

© 2004 The MITRE Corporation. All rights reserved DTN Security Susan Symington March 2005 IETF DTN meeting.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
May 2007 PRESTO (Princeton, NJ) In-network Support for VoIP and Multimedia Applications Henning Schulzrinne Dept. of Computer Science Columbia University.

May 2007 PRESTO (Princeton, NJ) In-network Support for VoIP and Multimedia Applications Henning Schulzrinne Dept. of Computer Science Columbia University.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Routing Security in Ad Hoc Networks

Routing Security in Ad Hoc Networks
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
A DoS Limiting Network Architecture An Overview by - Amit Mondal.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

Similar presentations

Ads by Google