Download presentation
Presentation is loading. Please wait.
1
Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005
2
History of Routing Protocols In early days of ARPANet Few nodes Few nodes Routing tables manually configured at each node by local system admin Routing tables manually configured at each node by local system admin Centralized Management an Alternative Network manager knows topology and handles everything Network manager knows topology and handles everything Tools can help, but still difficult Tools can help, but still difficult
3
Drawbacks Managers must know topology Managers control who gets to play Can not just go and add or delete a node Can not just go and add or delete a node Hard to see how the Internet would have grown to present size had either of these schemes been adopted.
4
Dynamic Routing Protocols Routing tables are updated as part of protocol Adapts to changing topology and growth Theory Convergence in the face of changes Convergence in the face of changes Correctness Correctness Efficiency of underlying protocols Efficiency of underlying protocols
5
Security Gateways Located at cutpoints in the network Located at cutpoints in the network Possess an inside and an outside Nodes on the inside constitute its domain Gateways control what traffic can enter and leave a domain
6
Single Gateway
7
Network
8
Network as Graph
9
Gateway Hierarchy
10
Traversing Gateways High-level policies at the gateways determine which users can communicate with members of its domain To enforce policies, gateways authenticate packets using cryptographic tunnels Security Associations (IPsec) Security Associations (IPsec) Packet filters determine which packets go in which association
11
Industrial Practice Gateways are usually configured using command line interfaces Moving to centralized management Tool support: Solsoft Policy server Tool support: Solsoft Policy server Drawbacks same as for routers Inflexible in the face of changing topology Inflexible in the face of changing topology Want protocols to dynamically find gateways and set up associations
12
Moving Toward Dynamic Set Up DM VPN for hub and spoke model Hub acts as coordinator A Protocol that sets up tunnels between spokes Works well for this popular topology
13
Set Up Protocol Requirements Discover gateways along path Send out distinguished control packets Send out distinguished control packets Negotiate trust relationship based on high-level policy Set up associations using some key-exchange protocol (IKE, JFK) Install packet filters (low-level policies) on the gateways that are derived from/compatible with high-level policies Discovery protocols are a special class of signaling protocol
14
Do People Really Want This Cisco’s Tunnel Endpoint Discovery (TED) Protocol performs discovery Limited. Assumes two gateways. Limited. Assumes two gateways. Built into high-end security gateways Built into high-end security gateways Indicates industrial demand Indicates industrial demand IETF’s IP Security Policy (IPSP) group Charter says they will develop a discovery protocol Charter says they will develop a discovery protocol
15
Need For Theory We have designed several protocols for setting up collections of IPsec tunnels Sectrace, L3A (WITS 05) Sectrace, L3A (WITS 05) Each had subtle flaws that were uncovered by formal analysis Want a formalism and theory for developing such signaling protocols Like SPI-Calculus and MSR for crypto protocols Like SPI-Calculus and MSR for crypto protocols
16
Tunnel Calculus Key-Exchange as abstract building-block Not concerned with the cryptography Not concerned with the cryptography Terminates with associations and policies properly set up Terminates with associations and policies properly set up Captures essential details of the network Contrasts with process algebras that abstract away from network Contrasts with process algebras that abstract away from network Built in layers
17
Layers Packet Routing Security Processing Trust Negotiation Establishment Discovery
18
Example a bg Negotiate Establishment Authenticate Establishment Encryption Negotiation
19
Establishment Layer BA Req(spi-a, request) Rep(spi-a, spi-b, request) SADB A B SPDB SADB B A SPDB SADB A B SPDB SADB B A SPDB
20
Trust Negotiation When discovery packet destined for node B arrives at a gateway G, how does G know if it should allow the set up G know if it should allow the set up The initiator know that B is inside of G’s domain The initiator know that B is inside of G’s domain These questions need to be settled by high-level policy This must be known before establishment begins
21
Trust Management Need to discover, access, process high level policy Work in progress Related works Security Policy Protocol (SSP) IETF IPSP Security Policy Protocol (SSP) IETF IPSP SPKI/SDSI SPKI/SDSI PolicyMaker/KeyNote PolicyMaker/KeyNote QCM/SD3 QCM/SD3 …. …. Borrow ideas and abstract away details
22
Security Processing Layer Abstraction of IPsec Security Associations (SA) – Define cryptographic transforms Abstract away the cryptography Abstract away the cryptography Tunnel mode Tunnel mode Packet P(a,b,y) in association c d:I P(c,d,S(I,P(a,b,y)) Association Database (SADB)
23
Security Processing Layer Contd Packet filters called security policies direct traffic into SAs Security Policy Database (SPDB) SPDB-IN and SPDB-Out SPDB-IN and SPDB-Out Must model the processing of packets! Headers added and removed in accordance with policy Headers added and removed in accordance with policy Each packet that enters the system must undergo processing Outgoing packets processed before sent down to routing layer
24
IPsec example G AB A B:[(A B)(A G)] A B:[(A G)] P(A,G,S(i1,P(A,B,S(i3,P(A,B,y))))) A B:[(G B)]A B:[(A B)(G B)] P(G,B,S(i2,P(A,B,S(i3,P(A,B,y)) P(A,B,S(i3,P(A,B,y))) P(A,B,y) i1i2 i3
25
Routing Layer Network topology induced by forwarding tables Routers only route Packet p arrives @ r. Packet p arrives @ r. Lookup next hop in table. Lookup next hop in table. Send packet to next hop Send packet to next hop Secure nodes do IPsec processing All packets that arrive are sent up to be processed by security layer All packets that arrive are sent up to be processed by security layer
26
Formalism Based on multiset rewriting and equational logic Very basic logic Control flow must be explicit Control flow must be explicit Each rule may execute concurrently unless constrained Each rule may execute concurrently unless constrained State must be explicitly passed among rules MSR’s L-Predicates MSR’s L-Predicates Our resumption terms Our resumption terms
27
Routing Grammar
28
Routing Layer Rules
29
Security Processing Grammar
31
Nesting a packet
32
Output Rule
33
Safety/Liveness Properties Safety:If a tunnel if formed, then a proper set of credentials exist Liveness: Given some global policy, the two parties should be able to communicate assuming everything is in the right place Still working on formalizing these
34
Future Work Dissertation will flush out the details of each layer Executable models in Maude Executable models in Maude Proofs of properties Proofs of properties Work on the theorems Work on the theorems Trust negotiation layer Trust negotiation layer
35
Contessa NS People Carl A. Gunter Mark-Oliver Stehr Alwyn Goodloe Matthew Jacobs Gaurav Shah Michael McDougall Gual Agha Michael Greenwald Sanjeev Khanna Jose Meseguer Koushik Sen Prasanna Thati
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.