july 2008ietf 72 - nsis1 permission-based sending (pbs) nslp: network traffic authorization...
Post on 15-Jan-2016
217 views
TRANSCRIPT
July 2008 IETF 72 - NSIS 1
Permission-Based Sending (PBS) NSLP: Network Traffic Authorization
draft-hong-nsis-pbs-nslp-01
Se Gi Hong & Henning SchulzrinneColumbia University
July 2008 IETF 72 - NSIS 2
Overview of PBS
• Objective – Preventing Denial-of-Service (DoS) attacks and other forms of
unauthorized traffic.
• Network traffic authorization– A sender has to receive permission from the intended receiver before it
injects any packets into the network.– Permission represents the authority to send data.
• Deny-by-default– In the closed network (all end users have PBS NSLP functionalities)
• The unauthorized traffic without permission is dropped at the first router by default.
– In the open Internet (some end users do not have PBS NSLP functionalities)
• The traffic from the end users who do not have PBS NSLP functionalities are rate-limited by default.
July 2008 IETF 72 - NSIS 3
Design Overview• Distributed system
– The permission is granted by the intended receiver of a data flow.– Signaling installs and revokes the permission state of routers for data flows.
• Stateful system– A subset of routers keeps state for a data flow and monitors whether the flow is
authorized.• Deployable system
– PBS can be applied to current networks. • The PBS does not change IP and TCP/UDP packet header.
– Existing security protocol is used.• IPsec
• Scalable system– Not all routers need to be aware of PBS.– Reduce computational overhead.
• Only the data packets from senders who are affected by the attacks use IPsec.
July 2008 IETF 72 - NSIS 4
Design Overview
• DoS defense mechanism– DoS detection mechanism
• PBS Detection Algorithm (PDA) can detect DoS attacks.
• PDA uses signaling messages to monitor the attacks.
– Reaction mechanism against DoS attacks• Limited permission
– Limited permission prevents overflow of data packets.
• IPsec Authentication Header (AH)
– For the authentication and integrity of data packets.
• Changing data path
– To avoid a compromised router that drops legitimate packets.
July 2008 IETF 72 - NSIS 5
Three Components of the PBS NSLP Architecture
• Path-coupled (on-path) signaling component– Installs and maintains permission state.– Monitors attacks, and triggers reaction mechanism against the attacks.– Authentication of signaling message is protected by IPsec AH.
• Authorization component– Decides whether to grant permission (amount of data volume) for a flow– Detects and identifies the attack by PDA.– Decides the reaction mechanism against the attacks.
• e.g., IPsec AH for data packet, changing data flow path
• Traffic management component– Screens the data packets to see whether the data packets are
authorized.– Drops the unauthorized packets using IP packet filter.– Calculates the volume of the data to monitor data flow.– Verifies the authentication of packets.
July 2008 IETF 72 - NSIS 6
PBS NSLP Signaling Message
• Two-way handshake– Query message
• Sent by a sender to request permission• Requested application is described• Rate-limited by proof-of-work
– Permission message• Sent by a receiver• Sets up (grants), removes (revokes) and modifies permission state• Triggers reaction mechanism against the attacks
• Soft-state – The permission state is refreshed periodically by a soft-state
mechanism
July 2008 IETF 72 - NSIS 7
PBS Detection Algorithm (PDA)
• Monitoring DoS attack– Use existing PBS NSLP messages (Query/Permission messages)
– Use soft-state mechanism to periodically monitor the data flow
• Basic operation of PDA– Query message sent by a sender contains the number of bytes that the
sender has sent since the permission was granted
– The receiver compares the number of bytes in the Query message and the number of bytes that the receiver has actually received
– If there is a difference, the signaling message (Permission message) triggers the reaction mechanism
July 2008 IETF 72 - NSIS 8
Back-up slides
July 2008 IETF 72 - NSIS 9
PBS NSLP Architecture
PBS NSLPProcessing
Authorization
NTLP (GIST)Processing
Traffic Management
Control and configuration
Data flow
Signal flow
On-path signaling
July 2008 IETF 72 - NSIS 10
Query Message• Message type flag (M)
– Set to M=0 to indicate the message is the Query message• Flow identifier
– Descriptor of data flow– Source IP address, destination IP address, protocol identifier, higher (port)
addressing, flow label, SPI field, DSCT/TOS field.• Requested volume (RV)
– The number of bytes that a sender requests.• Volume information (V)
– The number of bytes that a sender has sent since the sender received the permission from the intended receiver.
– It is used to monitor the DoS attacks.• Public key (Ks)
– The sender’s public key for the authentication of signaling packets.– An X.509 certificate is used for the digital signature.
• Cryptography algorithm (C)– Cryptography algorithm to be used for the authentication field in IPsec AH.– C=00: RSA, C=01: DSA, C=10: ECDSA
July 2008 IETF 72 - NSIS 11
Permission Message• Message type flag (M)
– Set to M=1 to indicate the message is the Permission message• Flow identifier• Allowed volume (AV)
– The number of bytes that a receiver grants a sender for the request.• Time limit (TTL)
– Time limit for the permission of the data flow.• Refresh period (T)
– Used for the soft-state of the permission.• Solution flags (S)
– S=00: No reaction, S=01: IPsec AH with HMAC, S=10: IPsec AH with public key cryptography for the data flow. S=11: The sender needs to change data path.
• Public key (Kr)– The receiver’s public key for the authentication of signaling packets.– An X.509 certificate is used for the digital signature.
• Cryptography algorithm (C)– Cryptography algorithm to be used for the authentication field in IPsec AH.
July 2008 IETF 72 - NSIS 12
Basic Operation of PBS NSLP
Q (M, FID, RV, V, Ks, C)
Sender R1 R2 Receiver
T
11
22
33
44
55
P (M, FID, AV, TTL, T, S, Kr, C)
Data flow
Data flow
Signal flow
Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C)
P (M, FID, AV, TTL, T, S, Kr, C)P (M, FID, AV, TTL, T, S, Kr, C)
Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C)
P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C)
July 2008 IETF 72 - NSIS 13
Basic Operation of PDAData flow
Sender R1 R2 R3 Receiver
A (Attacker spoofing S’s address)
T
11
22
33
44
5566
Data flow (1MB)
Attack flow (2MB)Signal flow
Query
Permission (AV=10MB)
Query (V=1MB)
Permission (S=10)
Query Query Query
Query (V=1MB) Query (V=1MB) Query (V=1MB)
Permission (S=10) Permission (S=10) Permission (S=10)
Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB)
Detect attack(1MB Vs 3MB)
July 2008 IETF 72 - NSIS 14
Detection of Black Hole Attack
T.O.
T.O.
R1 R2 R3 ReceiverSender
22
11
Data flow
Signal flow(Attacker, Drop attack)
Query Query
Query Query
Change data flow path
July 2008 IETF 72 - NSIS 15
Detection of Dropping Only Data Packets
Data flow
ReceiverR3R1SenderData flow (1MB)
11
22
33
44
55
R2
Signal flow(Attacker, Drop attack)
T
Query (V=1MB)
Permission (S=11)
Query Query Query Query
Query (V=1MB) Query (V=1MB) Query (V=1MB)
Permission (S=11) Permission (S=11) Permission (S=11)
Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB)
Data flow (1MB)
Detect attack(1MB Vs 0MB)