save: source address validity enforcement protocol

© 2003 By Default!

A Free sample background from www.powerpointbackgrounds.com

Slide 1

SAVE: SAVE: Source Address Validity Source Address Validity Enforcement ProtocolEnforcement Protocol

Authors:Authors: Li, Mirkovic, Wang, Li, Mirkovic, Wang, Reiher, Zhang Reiher, Zhang

Presented By:Presented By: Michael Pincott Michael PincottDate:Date: 07/22/2003 07/22/2003

© 2003 By Default!


Slide 2

OutlineOutline

IntroductionIntroduction Design PrinciplesDesign Principles

– SAVE ProtocolSAVE Protocol– SAVE UpdateSAVE Update

SAVE ProtocolSAVE Protocol– ArchitectureArchitecture– Data StructuresData Structures

SAVE UpdatesSAVE Updates– GenerationGeneration– Tree UpdatesTree Updates– ProcessingProcessing– MaintenanceMaintenance– ForwardingForwarding

SecuritySecurity SimulationSimulation DeploymentDeployment ConclusionsConclusions AppendixAppendix

© 2003 By Default!


Slide 3

SAVE: IntroductionSAVE: Introduction

IPs Must Carry Correct Source AddressIPs Must Carry Correct Source Address

– Forging of IP source address allows:Forging of IP source address allows:• AnonymityAnonymity• DDoS AttacksDDoS Attacks• TCP SYN FloodsTCP SYN Floods• Smurf AttacksSmurf Attacks

© 2003 By Default!


Slide 4


Existing Methods of Handling Forged Existing Methods of Handling Forged IPs:IPs:

– Tracing back the source of the attack with the Tracing back the source of the attack with the help of system administrators.help of system administrators.

– Ingress FilteringIngress Filtering

– Filtering forged packets on basis of forwarding Filtering forged packets on basis of forwarding tabletable

– Using cryptographic authenticationUsing cryptographic authentication

© 2003 By Default!


Slide 5


Solution:Solution:

– Build reliable router tables specifying the Build reliable router tables specifying the allowable incoming source address on incoming allowable incoming source address on incoming connections.connections.

– Run on individual routers.Run on individual routers.

© 2003 By Default!


Slide 6

OutlineOutline






© 2003 By Default!


Slide 7

Design PrinciplesDesign Principles

SAVE Protocol:SAVE Protocol:

– Routing Protocol IndependenceRouting Protocol Independence

– Immediate Response to Routing ChangesImmediate Response to Routing Changes

– SecuritySecurity

– Incremental DeploymentIncremental Deployment

– Low OverheadLow Overhead

© 2003 By Default!


Slide 8

Design PrinciplesDesign Principles

SAVE Updates:SAVE Updates:

– End-to-End CommunicationEnd-to-End Communication

– Aggregation of SAVE UpdatesAggregation of SAVE Updates

– Minimize DuplicationMinimize Duplication

© 2003 By Default!


Slide 9

OutlineOutline






© 2003 By Default!


Slide 10

SAVE ProtocolSAVE Protocol

Build router tables that specify valid source Build router tables that specify valid source addresses on incoming interfaces.addresses on incoming interfaces.

SAVE updates are then sent to routers SAVE updates are then sent to routers downstream so they can build tables listing downstream so they can build tables listing valid source address that can come from valid source address that can come from these incoming interfaces.these incoming interfaces.

SAVE updates consist or three fields – SAVE updates consist or three fields – destination address space, address space destination address space, address space vector, appendable flag.vector, appendable flag.

© 2003 By Default!


Slide 11


Example – Save Updates:Example – Save Updates:

– Router B forwards packets Router B forwards packets from a network that have the from a network that have the source addresses of source addresses of 131.192.0.0/16 and sends this 131.192.0.0/16 and sends this data to router A.data to router A.

– Router A is connected to Router A is connected to routers R and r through routers R and r through interface 1 and 2.interface 1 and 2.

– Router A forwards the SAVE Router A forwards the SAVE information through interfaces information through interfaces 1 and 2 to routers R and r.1 and 2 to routers R and r.

© 2003 By Default!


Slide 12


Example – Routing Changes:Example – Routing Changes:

– (b) Router A keeps lists of the (b) Router A keeps lists of the source addresses it expects to source addresses it expects to receive on each incoming receive on each incoming interface.interface.

– Link DB goes down.Link DB goes down.

– (c) Save Updates inform router (c) Save Updates inform router A to expect valid source A to expect valid source addresses on different addresses on different interfaces.interfaces.

© 2003 By Default!


Slide 13


Example – Routing Example – Routing Changes and Incoming Changes and Incoming Tree Updates:Tree Updates:

– (a) Router A has a tree (a) Router A has a tree listing all the valid source listing all the valid source addresses arriving at each addresses arriving at each interface.interface.

– Link DB goes down.Link DB goes down.

– (b) Tree is updates to show (b) Tree is updates to show the change in network the change in network topology due to link DB’s topology due to link DB’s failure.failure.

© 2003 By Default!


Slide 14


Tree Attributes:Tree Attributes:

– Tree is constructed through SAVE updates.Tree is constructed through SAVE updates.

– Tree nodes represent specific source Tree nodes represent specific source address spaces.address spaces.

– Child nodes inherit the same incoming Child nodes inherit the same incoming interface as their parent.interface as their parent.

© 2003 By Default!


Slide 15


© 2003 By Default!


Slide 16

OutlineOutline






© 2003 By Default!


Slide 17

SAVE UpdatesSAVE Updates

Updates consist of:Updates consist of: <destination space = D, ASV (address space vector) <destination space = D, ASV (address space vector) = <Sr>, appendable = true/false>= <Sr>, appendable = true/false>

– Destination Space is the final destination address of this Destination Space is the final destination address of this SAVE updateSAVE update

– Address Space Vector records source address spaces on Address Space Vector records source address spaces on the path the SAVE update has traversed in route to the the path the SAVE update has traversed in route to the destination.destination.

– Appendable is a flag that allows routers in route to the Appendable is a flag that allows routers in route to the destination to update with ASR with more information.destination to update with ASR with more information.

Updates are encapsulated inside the IP datagram Updates are encapsulated inside the IP datagram whose destination is randomly chosen from D.whose destination is randomly chosen from D.

© 2003 By Default!


Slide 18


SAVE updates in route to the SAVE updates in route to the destination will go through other SAVE destination will go through other SAVE routers. Each intermediate routers routers. Each intermediate routers updates its SAVE tree based on the updates its SAVE tree based on the source addresses in the ASV field of the source addresses in the ASV field of the SAVE update.SAVE update.

If the appendable flag is a true, the If the appendable flag is a true, the intermediate SAVE router can update intermediate SAVE router can update and append values in the ASV field.and append values in the ASV field.

© 2003 By Default!


Slide 19


SAVE Update Processing:SAVE Update Processing:

– When a router receives a SAVE Update it When a router receives a SAVE Update it must perform some processing to maintain must perform some processing to maintain its tree.its tree.

– Records the path that the SAVE update Records the path that the SAVE update have traversed.have traversed.

– Assures the SAVE update follows the Assures the SAVE update follows the same path to the destination as the data same path to the destination as the data packet.packet.

© 2003 By Default!


Slide 20


ASV Maintenance:ASV Maintenance:

– If a router initiates a SAVE update to a If a router initiates a SAVE update to a destination router that has the same destination router that has the same destination as another SAVE update that destination as another SAVE update that was just transmitted, the appendable flag was just transmitted, the appendable flag can be set to false as there is no need to can be set to false as there is no need to resend redundant data.resend redundant data.

– Downstream routers can still read the ASV Downstream routers can still read the ASV field but can not append to it.field but can not append to it.

© 2003 By Default!


Slide 21


SAVE Update Forwarding:SAVE Update Forwarding:

– SAVE Updates are sent to all routers in its SAVE Updates are sent to all routers in its IP forwarding tables.IP forwarding tables.

– In cases where there are multiple In cases where there are multiple forwarding points going to the same forwarding points going to the same destination, SAVE duplicates SAVE destination, SAVE duplicates SAVE updates and forwards SAVE updates to the updates and forwards SAVE updates to the multiple forwarding points. multiple forwarding points.

© 2003 By Default!


Slide 22

OutlineOutline






© 2003 By Default!


Slide 23

SecuritySecurity

Securing SAVE is similar to securing routing Securing SAVE is similar to securing routing protocols.protocols.

SAVE Updates should be exchanged between SAVE Updates should be exchanged between routers and not hosts.routers and not hosts.– Attackers would have to compromise routers to mount Attackers would have to compromise routers to mount

attacks on SAVE.attacks on SAVE.

Routers should establish trust relationships prior to Routers should establish trust relationships prior to SAVE Update exchanges.SAVE Update exchanges.

SAVE Updates should be signed or encrypted.SAVE Updates should be signed or encrypted.

Processing of SAVE Updates should require minimal Processing of SAVE Updates should require minimal overhead to prevent against DoS attacks. overhead to prevent against DoS attacks.

© 2003 By Default!


Slide 24

OutlineOutline






© 2003 By Default!


Slide 25

SimulationSimulation

Goals:Goals:

– Test if all spoofed packets can be detected Test if all spoofed packets can be detected and dropped.and dropped.

– Test if valid packets are accidentally Test if valid packets are accidentally dropped.dropped.

– Test transient behavior of SAVE.Test transient behavior of SAVE.

– Determine the cost of SAVE in terms of Determine the cost of SAVE in terms of overhead.overhead.

© 2003 By Default!


Slide 26


Simulation Details:Simulation Details:

– Custom simulation environment utilized.Custom simulation environment utilized.

– SAVE is run in addition to routing protocols.SAVE is run in addition to routing protocols.

– Inter and Intra domain connectivity tested with the Inter and Intra domain connectivity tested with the use of the transit-stub topology generator from use of the transit-stub topology generator from GT-ITM.GT-ITM.

– BGP used for inter-domain routing and RIP used BGP used for inter-domain routing and RIP used for intra-domain routing.for intra-domain routing.

© 2003 By Default!


Slide 27


Effectiveness:Effectiveness:

– Three packet sources simulated.Three packet sources simulated.

– Each packet source generates Each packet source generates valid and spoofed packets using valid and spoofed packets using independent Poisson processes.independent Poisson processes.

– Numerous scenarios with different Numerous scenarios with different topologies tested.topologies tested.

– Only spoofed packets shows in Only spoofed packets shows in Figure 5.Figure 5.

– Results show that SAVE catches Results show that SAVE catches and drops all spoofed packets.and drops all spoofed packets.

© 2003 By Default!


Slide 28


Transient Behavior:Transient Behavior:

– Occurs when a new route to a destination is established. SAVE trees Occurs when a new route to a destination is established. SAVE trees need time to be built and propagated through the network via SAVE need time to be built and propagated through the network via SAVE Updates.Updates.

– Assumption is that the propagation delay of save is equal to that of a Assumption is that the propagation delay of save is equal to that of a valid packet.valid packet.

– If data packets are sent while SAVE Update is still being generated If data packets are sent while SAVE Update is still being generated due to forwarding router changes, invalid datagram packets may due to forwarding router changes, invalid datagram packets may reach destination before SAVE Update. Datagram packets may be reach destination before SAVE Update. Datagram packets may be valid using the obsolete incoming information.valid using the obsolete incoming information.

– SAVE may process a valid packet as a spoofed packet if a packet is SAVE may process a valid packet as a spoofed packet if a packet is received at a router before the incoming trees and tables are fully received at a router before the incoming trees and tables are fully built.built.

– Experiments (not described in text) show no filtering drop of valid Experiments (not described in text) show no filtering drop of valid packets due to routing changes.packets due to routing changes.

© 2003 By Default!


Slide 29


Cost (Bandwidth Used):Cost (Bandwidth Used):

– Measured bandwidth and storage require for SAVE versus routing Measured bandwidth and storage require for SAVE versus routing protocols (RIP, BGP).protocols (RIP, BGP).

– Incoming SAVE tables can be minimized by finding by leveraging Incoming SAVE tables can be minimized by finding by leveraging symmetries in network routing. symmetries in network routing.

– Minimization compares the valid incoming interfaces for a specific Minimization compares the valid incoming interfaces for a specific address space against the outgoing interface.address space against the outgoing interface.

– Level of minimization depends on the degree of symmetry in the Level of minimization depends on the degree of symmetry in the network.network.

– For single domain topologies, bandwidth used is 3.2Kbps to For single domain topologies, bandwidth used is 3.2Kbps to 6.9Kbps.6.9Kbps.

– For multiple domain topologies, bandwidth used is 0.6Kbps to For multiple domain topologies, bandwidth used is 0.6Kbps to 6.4Kbps.6.4Kbps.

© 2003 By Default!


Slide 32


Cost (Bandwidth used in random link failure simulations):Cost (Bandwidth used in random link failure simulations):

– Simulations compare the bandwidth cost of SAVE versus BGP and Simulations compare the bandwidth cost of SAVE versus BGP and RIP in a simulation where random link failure in introduced.RIP in a simulation where random link failure in introduced.

– Specific topologies tested with 90 and 97 linksSpecific topologies tested with 90 and 97 links

– Costs for SAVE and the other routing protocols varies depending on Costs for SAVE and the other routing protocols varies depending on severity of link failure.severity of link failure.

– In general, SAVE costs less in a random link failure model than the In general, SAVE costs less in a random link failure model than the routing protocols.routing protocols.

– SAVE Updates are not always triggered in link failure as some SAVE Updates are not always triggered in link failure as some forwarding tables are not bothered. This leads to less bandwidth forwarding tables are not bothered. This leads to less bandwidth used.used.

© 2003 By Default!


Slide 37

DeploymentDeployment

Deployment:Deployment:

– SAVE must be effective even when partially deployed.SAVE must be effective even when partially deployed.

– Packets from a source address through a legacy router that is not Packets from a source address through a legacy router that is not verified through SAVE can be flagged for suspicion.verified through SAVE can be flagged for suspicion.

– Deploying SAVE in a regional router protects the region from a type Deploying SAVE in a regional router protects the region from a type of TCP SYN attack where a victim’s source address is spoofed and of TCP SYN attack where a victim’s source address is spoofed and if then flooded with SYN-ACK responses.if then flooded with SYN-ACK responses.

– Regional SAVE deployment limits the number of spoofable Regional SAVE deployment limits the number of spoofable addresses.addresses.

– Purdue’s research of distributed packet filtering is complementary to Purdue’s research of distributed packet filtering is complementary to SAVE and shows that even partial deployment decreases chances SAVE and shows that even partial deployment decreases chances of malicious attacks.of malicious attacks.

© 2003 By Default!


Slide 38

DeploymentDeployment

Mobile IP and Tunnelling:Mobile IP and Tunnelling:

– Mobile hosts carry their home IP address. SAVE rejects Mobile hosts carry their home IP address. SAVE rejects the mobile host if outside its home network.the mobile host if outside its home network.

– Reverse tunnelling technique can also work for SAVE. Reverse tunnelling technique can also work for SAVE. Return packets are sent to home network then forwarded Return packets are sent to home network then forwarded to the mobile host.to the mobile host.

– IPv6 has a “care-of address” which solves this problem.IPv6 has a “care-of address” which solves this problem.

– In IP Tunnelling, a packets source address is buried inside In IP Tunnelling, a packets source address is buried inside a wrapping IP header. SAVE must be able to look inside a wrapping IP header. SAVE must be able to look inside the packet to find the true source address.the packet to find the true source address.

– Known tunnel end points can have special SAVE Updates.Known tunnel end points can have special SAVE Updates.

© 2003 By Default!


Slide 39

OutlineOutline





SecuritySecurity SimulationSimulation DeploymentDeployment ConclusionsConclusions

© 2003 By Default!


Slide 40

ConclusionConclusion

SAVE allows for network security without SAVE allows for network security without computationally expensive cryptography.computationally expensive cryptography.

SAVE utilizes the construction of tables and SAVE utilizes the construction of tables and trees to disallow the use of spoofed IPs with trees to disallow the use of spoofed IPs with no more complexity than that already no more complexity than that already implemented by routing protocols.implemented by routing protocols.

SAVE can help defend against DoS and SAVE can help defend against DoS and DDoS attacks currently plaguing the Internet.DDoS attacks currently plaguing the Internet.

save: source address validity enforcement protocol

Documents