Presentation is loading. Please wait.

Presentation is loading. Please wait.

L3A: A Protocol for Layer Three Accounting Alwyn Goodloe, Matthew Jacobs, Gaurav Shah University of Pennsylvania Carl A. Gunter University of Illinois.

Published byDaniela Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "L3A: A Protocol for Layer Three Accounting Alwyn Goodloe, Matthew Jacobs, Gaurav Shah University of Pennsylvania Carl A. Gunter University of Illinois."— Presentation transcript:

1 L3A: A Protocol for Layer Three Accounting Alwyn Goodloe, Matthew Jacobs, Gaurav Shah University of Pennsylvania Carl A. Gunter University of Illinois

2 SOHO to Enterprise Example HomeInternetOffice CAPVPNS WPA to AP Ipsec to Office SSH to Server Three levels of Authentication and Encryption! Address Translators And Firewalls

3 Multi-Tunnel Configuration Application Protocols to set up Tunnels/ Security Objectives Of Tunnels N/W Security/ Key Exchange

4 Cramming Attacks ClientServer Accounting System Attacker E2E Security Tunnel Network Access Server (NAS) NAS Security Tunnel Unauthenticated Ingress

5 Countermeasures Add difficult-to-discover state to return port. Problematic: On-path attackers Establishing sufficient state Example: Network Address Translation (NAT) Determined by four flow parameters Well known destinations give strategies for server ports and addresses Weaknesses in NAT parameter selections Brute force: 10,000 pkts/sec on stock machine Observed 7 minutes for timeout

6 Tunnel as Countermeasure Challenge: Coordinate the creation of the tunnels

7 Related Work Accounting Simple Network Management Protocol (SNMP) RADIUS Juniper Networks: GPRS gateway provides protection against “over-billing” attacks Tunnel Configuration Solsoft Policy Server Z. Fu and S.F. Wu 2001 Cisco Dynamic Multipoint VPN (DM VPN) Cisco Tunnel Endpoint Discovery (TED)

8 L3A Set-Up Client NAS Server Req(cred) Ack(cred) Fin SPD C  S:(C  N) SPD S  C:(S  N) SPD:S  C:(S  N)

9 L3A Set-Up With Reuse Client Server1 Server2 NAS Req(Cred) SPD C  S2:(C  N) SPD S2  C:(S2  N) Ack(cred)

10 L3A Tear-Down

11 Implementation Micron 600MHz Pentiums, 128 MB memory in C/S and 256 in NAS, 100 Mbps Ethernet links FreeBSD 4.8, OpenSSL crypto, PF_KEY interface to SPD IKE- our implementation of IKEv2 with support for nested tunnels

12 IKE-

13 Performance Measurements Throughput How does L3A bulk transmission compare to no accounting or other approaches to accounting? Latency How does L3A set-up compare to other approaches in ms required for set-up and tear-down? Both measured for a single client and server; NAS was only lightly loaded.

14 Throughput Cases Base – no security End-to-end – IPsec with encryption and authentication between client and server Typical – IPsec E2E and IPsec with encryption and authentication between client and NAS L3A – E2E and authenticated tunnels between client and NAS NAS and server

15 Throughput L3A is 100% faster than typical L3A is 32% slower than no accounting

16 Latency Cases End-to-end – IPsec IKE- from end to end L3A without reuse L3A with reuse of client to NAS tunnel

17 Latency Latency to establish tunnels for accounting is 142% greater than end-to-end protection alone, but In the most common case, it will be only 48% longer.

18 Conclusions Introduced concept of cramming attacks Reviewed possible countermeasures and did penetration study of NAT Proposed L3A protocol Implementation shows reasonable performance Main contribution: progress on how to design multi-tunnel protocols

19 L3A Messages

20 Cramming Attacks

Download ppt "L3A: A Protocol for Layer Three Accounting Alwyn Goodloe, Matthew Jacobs, Gaurav Shah University of Pennsylvania Carl A. Gunter University of Illinois."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.

Allied Telesyn Wireless LAN Solutions AT-WL2411 Access Point AT-WR2411 Wireless LAN PCMCIA Card.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
Firewall Configuration Strategies

Firewall Configuration Strategies
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Symbolic Simulation of Tunneling Protocols Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), and Alwyn Goodloe Alwyn Goodloe HCES.

Symbolic Simulation of Tunneling Protocols Carl A. Gunter, Matthew Jacobs, Gaurav Shah, Mark-Oliver Stehr (UIUC), and Alwyn Goodloe Alwyn Goodloe HCES.
Research Overview Carl A. Gunter University of Pennsylvania.

Research Overview Carl A. Gunter University of Pennsylvania.
Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?

Goal of The Paper  What exactly is a VPN?  Why do you need a VPN?  what are some of the technologies used in deploying a VPN?  How does a VPN work?
Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005.

Discovery and Traversal of Security Gateways Alwyn E. Goodloe University of Pennsylvania Contessa NS Protocol eXchange June 10, 2005.

Similar presentations

Ads by Google