Presentation is loading. Please wait.

Presentation is loading. Please wait.

Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005.

Similar presentations


Presentation on theme: "Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005."— Presentation transcript:

1 Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005

2 History of Routing Protocols In early days of ARPANet Few nodes Few nodes Routing tables manually configured at each node by local system admin Routing tables manually configured at each node by local system admin Centralized Management an Alternative Network manager knows topology and handles everything Network manager knows topology and handles everything Tools can help, but still difficult Tools can help, but still difficult

3 Drawbacks Managers must know topology Managers control who gets to play Can not just go and add or delete a node Can not just go and add or delete a node Hard to see how the Internet would have grown to present size had either of these schemes been adopted.

4 Dynamic Routing Protocols Routing tables are updated as part of protocol Adapts to changing topology and growth Theory Convergence in the face of changes Convergence in the face of changes Correctness Correctness Efficiency of underlying protocols Efficiency of underlying protocols

5 Security Gateways Located at cutpoints in the network Located at cutpoints in the network Possess an inside and an outside Nodes on the inside constitute its domain Gateways control what traffic can enter and leave a domain

6 Single Gateway

7 Network

8 Network as Graph

9 Gateway Hierarchy

10 Traversing Gateways High-level policies at the gateways determine which users can communicate with members of its domain To enforce policies, gateways authenticate packets using cryptographic tunnels Security Associations (IPsec) Security Associations (IPsec) Packet filters determine which packets go in which association

11 Industrial Practice Gateways are usually configured using command line interfaces Moving to centralized management Tool support: Solsoft Policy server Tool support: Solsoft Policy server Drawbacks same as for routers Inflexible in the face of changing topology Inflexible in the face of changing topology Want protocols to dynamically find gateways and set up associations

12 Moving Toward Dynamic Set Up DM VPN for hub and spoke model Hub acts as coordinator A Protocol that sets up tunnels between spokes Works well for this popular topology

13 Set Up Protocol Requirements Discover gateways along path Send out distinguished control packets Send out distinguished control packets Negotiate trust relationship based on high-level policy Set up associations using some key-exchange protocol (IKE, JFK) Install packet filters (low-level policies) on the gateways that are derived from/compatible with high-level policies Discovery protocols are a special class of signaling protocol

14 Do People Really Want This Cisco’s Tunnel Endpoint Discovery (TED) Protocol performs discovery Limited. Assumes two gateways. Limited. Assumes two gateways. Built into high-end security gateways Built into high-end security gateways Indicates industrial demand Indicates industrial demand IETF’s IP Security Policy (IPSP) group Charter says they will develop a discovery protocol Charter says they will develop a discovery protocol

15 Need For Theory We have designed several protocols for setting up collections of IPsec tunnels Sectrace, L3A (WITS 05) Sectrace, L3A (WITS 05) Each had subtle flaws that were uncovered by formal analysis Want a formalism and theory for developing such signaling protocols Like SPI-Calculus and MSR for crypto protocols Like SPI-Calculus and MSR for crypto protocols

16 Tunnel Calculus Key-Exchange as abstract building-block Not concerned with the cryptography Not concerned with the cryptography Terminates with associations and policies properly set up Terminates with associations and policies properly set up Captures essential details of the network Contrasts with process algebras that abstract away from network Contrasts with process algebras that abstract away from network Built in layers

17 Layers Packet Routing Security Processing Trust Negotiation Establishment Discovery

18 Example a bg Negotiate Establishment Authenticate Establishment Encryption Negotiation

19 Establishment Layer BA Req(spi-a, request) Rep(spi-a, spi-b, request) SADB A  B SPDB SADB B  A SPDB SADB A  B SPDB SADB B  A SPDB

20 Trust Negotiation When discovery packet destined for node B arrives at a gateway G, how does G know if it should allow the set up G know if it should allow the set up The initiator know that B is inside of G’s domain The initiator know that B is inside of G’s domain These questions need to be settled by high-level policy This must be known before establishment begins

21 Trust Management Need to discover, access, process high level policy Work in progress Related works Security Policy Protocol (SSP) IETF IPSP Security Policy Protocol (SSP) IETF IPSP SPKI/SDSI SPKI/SDSI PolicyMaker/KeyNote PolicyMaker/KeyNote QCM/SD3 QCM/SD3 …. …. Borrow ideas and abstract away details

22 Security Processing Layer Abstraction of IPsec Security Associations (SA) – Define cryptographic transforms Abstract away the cryptography Abstract away the cryptography Tunnel mode Tunnel mode Packet P(a,b,y) in association c  d:I P(c,d,S(I,P(a,b,y)) Association Database (SADB)

23 Security Processing Layer Contd Packet filters called security policies direct traffic into SAs Security Policy Database (SPDB) SPDB-IN and SPDB-Out SPDB-IN and SPDB-Out Must model the processing of packets! Headers added and removed in accordance with policy Headers added and removed in accordance with policy Each packet that enters the system must undergo processing Outgoing packets processed before sent down to routing layer

24 IPsec example G AB A  B:[(A  B)(A  G)] A  B:[(A  G)] P(A,G,S(i1,P(A,B,S(i3,P(A,B,y))))) A  B:[(G  B)]A  B:[(A  B)(G  B)] P(G,B,S(i2,P(A,B,S(i3,P(A,B,y)) P(A,B,S(i3,P(A,B,y))) P(A,B,y) i1i2 i3

25 Routing Layer Network topology induced by forwarding tables Routers only route Packet p arrives @ r. Packet p arrives @ r. Lookup next hop in table. Lookup next hop in table. Send packet to next hop Send packet to next hop Secure nodes do IPsec processing All packets that arrive are sent up to be processed by security layer All packets that arrive are sent up to be processed by security layer

26 Formalism Based on multiset rewriting and equational logic Very basic logic Control flow must be explicit Control flow must be explicit Each rule may execute concurrently unless constrained Each rule may execute concurrently unless constrained State must be explicitly passed among rules MSR’s L-Predicates MSR’s L-Predicates Our resumption terms Our resumption terms

27 Routing Grammar

28 Routing Layer Rules

29 Security Processing Grammar

30

31 Nesting a packet

32 Output Rule

33 Safety/Liveness Properties Safety:If a tunnel if formed, then a proper set of credentials exist Liveness: Given some global policy, the two parties should be able to communicate assuming everything is in the right place Still working on formalizing these

34 Future Work Dissertation will flush out the details of each layer Executable models in Maude Executable models in Maude Proofs of properties Proofs of properties Work on the theorems Work on the theorems Trust negotiation layer Trust negotiation layer

35 Contessa NS People Carl A. Gunter Mark-Oliver Stehr Alwyn Goodloe Matthew Jacobs Gaurav Shah Michael McDougall Gual Agha Michael Greenwald Sanjeev Khanna Jose Meseguer Koushik Sen Prasanna Thati


Download ppt "Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005."

Similar presentations


Ads by Google