Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Transcription

1 Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

2 Motivation Improve network s flexibility Middlebox support, multi path routing, loose path routing, mobility, delay tolerant communications, active nodes Improve network s security In network filters, network capabilities, default off Typically conflicting goals and mechanisms

3 Motivation Example Flexibility circumvents security DoS Attack

4 Motivation Example Flexibility circumvents security In network filters protect the destination

5 Motivation Example Flexibility circumvents security In network filters protect the destination Middlebox suport & loose path routing may enable users to bypass in network filters

6 Motivation Example Flexibility circumvents security In network filters protect the destination Flexibility may circumvent security Middlebox suport & loose path routing may enable users to bypass in network filters

7 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path

8 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Mobile nodes may change paths frequently

9 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Security may limit flexibility Mobile nodes may change paths frequently

10 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet

11 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet Rule specifies How packets should be forwarded Flexibility What packets can be forwarded Security

12 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

13 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

14 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

15 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

16 Rule based Forwarding (RBF) Overview Destinations own rules Senders Insert rules in packets Obtain destination s rule via an extended DNS DNS S D R_D Payload D s rule Packet may also contain a return rule

17 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

18 RBF Mechanism Specification Rules: sequence of actions conditioned by if then else statements if(<condition>) ACTION1 else ACTION2 Conditions: comparison operations on packet & router attributes Example: drop packets if port different than 80 if(packet.dest_port!= 80) drop

19 RBF Mechanism Actions At each router, rule can: 1. Modify packet header 2. Drop packet 3. Forward i. To destination / next waypoint as specified by the rule ii. To upper layers: Invoke specific functionality / Transport

20 RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes

21 RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes

22 RBF Mechanism Illustration Router Attributes Rule Attributes Payload

23 RBF Mechanism Illustration Router Attributes Rule Attributes Payload

24 RBF Mechanism Illustration Router Attributes Rule Attributes Payload

25 RBF Mechanism Illustration Router Attributes Rule Attributes Payload

26 RBF Mechanism Illustration Router Attributes Rule Attributes Payload A. Forward to next hop

27 RBF Mechanism Illustration Router Attributes Rule Attributes Payload B. Drop A. Forward to next hop

28 RBF Mechanism Illustration Router Attributes Functionality Rule Attributes Payload C. Invoke router / middlebox functionality B. Drop A. Forward to next hop

29 RBF Mechanism Division of control End host control ISP/Mbox control Rules cannot Replicate packets Rule Payload Keep state at routers Modify packet payload Implement algorithms other than comparisons Functionality Rules can leverage functionalityat at enhanced routers & middleboxes for this purpose E.g. IDS, encryption, multicast, etc. Under the control of ISPs owning routers & middlebox owners!

30 RBF Mechanism Above IP Rules not about route discovery or route computation RBF reuses IP for this purpose ISPs control IP layer Rule based Forwarding RBF Routing controlled Forwarding IP Packet attributes 5 tuple IP source/ destination, transport ports, protocol User defined attributes with arbitrary semantics

31 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

32 RBF Security Valid Rules Example: Unicast Current Internet S destination = D D

33 RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule

34 RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule Signature: proves D s approval to receive packets onthis rule

35 RBF Security Valid Rules Example: Unicast RBF S sendto D D Routers verify the rule signature. If it fails they drop the packet.

36 RBF Security Valid Rules Example: Unicast RBF S sendto D D Even if someone knows D s address, it cannot send packets to D without an approved rule

37 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism

38 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism

39 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF requires an anti spoofing mechanism

40 RBF Security Signature Verification Routers know the public keys of all RCEs Not too many RCEs Can signatures be verified on the data plane? Not all routers need to verify signatures Trust boundary routers only Not all packets need to be verified Verifications can be cached

41 RBF Security Rule Creation & Certification For non sophisticated users, rules can be returned by an extended DHCP Destinations ask RCEs to certify their rules RCEs contracted by ISP ordirectly D RCE

42 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary evaluation

43 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

44 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

45 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

46 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules

47 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules Need a way to grant rules on demand Dynamic DNS

48 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E forwards rule requests to D DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

49 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D s incoming rate is controlled DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

50 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D cannot be contacted directly DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

51 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS RED R_E_D D s Ds rule =? D S R_E_D allows only traffic from E to D

52 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S Create & certify capability like rule R_S_D for S

53 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S R_S_D

54 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D

55 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D Capability like lik rule

56 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E not easily DoSed DNS D S R_S_D

57 Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E is a large entity with RCE functionality DNS E Rule granting policy D S RS R_S RSD R_S_D

58 Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E DNS D S R_S_D

59 Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 S D

60 Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 R_D needs to be approved by R1 S D

61 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D R1 S D

62 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D packet attribute that indicates if packet has visited R1 or not yet R1 S R_D been_to_r1 = 0 D

63 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D Before the waypoint R1 S R_D been_to_r1 = 0 D

64 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D At the waypoint R1 router.address = R1 R_D been_to_r1 = 1 S D

65 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D After the waypoint R1 S R_D been_to_r1 = 1 D

66 Examples Waypoint R_S:... Return rule R1 S R_S R_S s attributes D

67 Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 IDS functionality Addition to the waypoint rule S D

68 Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Can also use such invoke IDS_func functionalities at enhanced if(packet.been_to_r1 == 1) on path routers! sendto D R1 IDS functionality S D

69 Examples Provenance Verification R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 Malicious user could set the packet attributes such as to appear packet has visited the middlebox S R_D been_to_r1 = 1 D

70 Examples Provenance Verification (1) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Allow only packets kt from R1 packet.source = R1 when state equals 1 invoke IDS_func if(packet.been_to_r1 to == 1) if(packet.source == R1) sendto D Anti spoofing does not allow spoofing the source attribute

71 Examples Provenance Verification (2) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke Crypto_proof if(packet.been_to_r1 == 1) packet. been_to_r1 = 2 invoke IDS_func if(packet.been_to_r1 == 2) if(router.address!= D) sendto D else invoke Verify_ and_ Deliver Invoke functionality to (cryptographically) prove packet visited middlebox Invoke functionality to verify the middlebox proofs at D

72 Examples Conditioned Middlebox R_D: if(packet.dest_port == 80) sendto D else //Middlebox rule... to port 80 Use the Middlebox only for packets not destined to port 80 R1 IDS functionality S Port 80 Non port 80 D

73 RBF Enables End Users 1. Block unwanted packets in the network 2. (Secure) Control over path using waypoints 3. Use router state in forwarding decisions and record this state 4. Use enhanced functionality at middleboxes and routers, if available

74 RBF Examples Filter ports/prefixes only receive specific traffic Middleboxes Protect against DoS attacks Secure loose path forwarding Anycast Record path state network probing, ECN Mobility Multiple paths On path redirection Delay Tolerant Networks Use on path router functionalities deployed by ISPs Multicast, caching, WAN optimizers...

75 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

76 Preliminary Evaluation Rule Sizes Bytes Signature Identifier Rule

77 Preliminary Evaluation Rule Sizes Bytes Overheadofonerule one rule is ~60 140bytes Signature Identifier Rule

78 Preliminary Evaluation Rule Sizes Bytes Could be improved in the future Signature Identifier Rule

79 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps

80 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps Rule forwardingincurs incurs little overhead onroutebricks

81 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps No overhead for packets > 300B

82 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps Soft router RBF can forward up to 23Gbps

83 Preliminary Evaluation Signatureverification Only at trust boundary routers (see lower traffic than core) Result can be cached Cache is small (e.g. g 14 bytes/rule) and exact match lookup Only 1% of backbone link capacity are packets from new flows (CAIDA 2009 sample) Existing hardware (crypto processors, ASICs, FPGAs) can already handle tens of thousands verifications / s Can be parallelized!

84 Summary & Questions RBF flexible and secure Each packet carries rule Rule expresses how packets should be forwarded and what packets can be forwarded Destination / waypoints approve rules Rule flexible: if then else conditions on packet & router attributes and use of router functionalities Rules are signed by third parties Routers verify authenticity & forward by the rule