Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs
|
|
- Marylou Pierce
- 6 years ago
- Views:
Transcription
1 Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs
2 Motivation Improve network s flexibility Middlebox support, multi path routing, loose path routing, mobility, delay tolerant communications, active nodes Improve network s security In network filters, network capabilities, default off Typically conflicting goals and mechanisms
3 Motivation Example Flexibility circumvents security DoS Attack
4 Motivation Example Flexibility circumvents security In network filters protect the destination
5 Motivation Example Flexibility circumvents security In network filters protect the destination Middlebox suport & loose path routing may enable users to bypass in network filters
6 Motivation Example Flexibility circumvents security In network filters protect the destination Flexibility may circumvent security Middlebox suport & loose path routing may enable users to bypass in network filters
7 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path
8 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Mobile nodes may change paths frequently
9 Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Security may limit flexibility Mobile nodes may change paths frequently
10 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet
11 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet Rule specifies How packets should be forwarded Flexibility What packets can be forwarded Security
12 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
13 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
14 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
15 Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
16 Rule based Forwarding (RBF) Overview Destinations own rules Senders Insert rules in packets Obtain destination s rule via an extended DNS DNS S D R_D Payload D s rule Packet may also contain a return rule
17 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
18 RBF Mechanism Specification Rules: sequence of actions conditioned by if then else statements if(<condition>) ACTION1 else ACTION2 Conditions: comparison operations on packet & router attributes Example: drop packets if port different than 80 if(packet.dest_port!= 80) drop
19 RBF Mechanism Actions At each router, rule can: 1. Modify packet header 2. Drop packet 3. Forward i. To destination / next waypoint as specified by the rule ii. To upper layers: Invoke specific functionality / Transport
20 RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes
21 RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes
22 RBF Mechanism Illustration Router Attributes Rule Attributes Payload
23 RBF Mechanism Illustration Router Attributes Rule Attributes Payload
24 RBF Mechanism Illustration Router Attributes Rule Attributes Payload
25 RBF Mechanism Illustration Router Attributes Rule Attributes Payload
26 RBF Mechanism Illustration Router Attributes Rule Attributes Payload A. Forward to next hop
27 RBF Mechanism Illustration Router Attributes Rule Attributes Payload B. Drop A. Forward to next hop
28 RBF Mechanism Illustration Router Attributes Functionality Rule Attributes Payload C. Invoke router / middlebox functionality B. Drop A. Forward to next hop
29 RBF Mechanism Division of control End host control ISP/Mbox control Rules cannot Replicate packets Rule Payload Keep state at routers Modify packet payload Implement algorithms other than comparisons Functionality Rules can leverage functionalityat at enhanced routers & middleboxes for this purpose E.g. IDS, encryption, multicast, etc. Under the control of ISPs owning routers & middlebox owners!
30 RBF Mechanism Above IP Rules not about route discovery or route computation RBF reuses IP for this purpose ISPs control IP layer Rule based Forwarding RBF Routing controlled Forwarding IP Packet attributes 5 tuple IP source/ destination, transport ports, protocol User defined attributes with arbitrary semantics
31 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
32 RBF Security Valid Rules Example: Unicast Current Internet S destination = D D
33 RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule
34 RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule Signature: proves D s approval to receive packets onthis rule
35 RBF Security Valid Rules Example: Unicast RBF S sendto D D Routers verify the rule signature. If it fails they drop the packet.
36 RBF Security Valid Rules Example: Unicast RBF S sendto D D Even if someone knows D s address, it cannot send packets to D without an approved rule
37 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism
38 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism
39 RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF requires an anti spoofing mechanism
40 RBF Security Signature Verification Routers know the public keys of all RCEs Not too many RCEs Can signatures be verified on the data plane? Not all routers need to verify signatures Trust boundary routers only Not all packets need to be verified Verifications can be cached
41 RBF Security Rule Creation & Certification For non sophisticated users, rules can be returned by an extended DHCP Destinations ask RCEs to certify their rules RCEs contracted by ISP ordirectly D RCE
42 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary evaluation
43 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
44 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
45 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
46 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules
47 Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules Need a way to grant rules on demand Dynamic DNS
48 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E forwards rule requests to D DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
49 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D s incoming rate is controlled DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
50 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D cannot be contacted directly DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
51 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS RED R_E_D D s Ds rule =? D S R_E_D allows only traffic from E to D
52 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S Create & certify capability like rule R_S_D for S
53 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S R_S_D
54 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D
55 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D Capability like lik rule
56 Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E not easily DoSed DNS D S R_S_D
57 Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E is a large entity with RCE functionality DNS E Rule granting policy D S RS R_S RSD R_S_D
58 Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E DNS D S R_S_D
59 Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 S D
60 Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 R_D needs to be approved by R1 S D
61 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D R1 S D
62 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D packet attribute that indicates if packet has visited R1 or not yet R1 S R_D been_to_r1 = 0 D
63 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D Before the waypoint R1 S R_D been_to_r1 = 0 D
64 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D At the waypoint R1 router.address = R1 R_D been_to_r1 = 1 S D
65 Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D After the waypoint R1 S R_D been_to_r1 = 1 D
66 Examples Waypoint R_S:... Return rule R1 S R_S R_S s attributes D
67 Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 IDS functionality Addition to the waypoint rule S D
68 Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Can also use such invoke IDS_func functionalities at enhanced if(packet.been_to_r1 == 1) on path routers! sendto D R1 IDS functionality S D
69 Examples Provenance Verification R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 Malicious user could set the packet attributes such as to appear packet has visited the middlebox S R_D been_to_r1 = 1 D
70 Examples Provenance Verification (1) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Allow only packets kt from R1 packet.source = R1 when state equals 1 invoke IDS_func if(packet.been_to_r1 to == 1) if(packet.source == R1) sendto D Anti spoofing does not allow spoofing the source attribute
71 Examples Provenance Verification (2) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke Crypto_proof if(packet.been_to_r1 == 1) packet. been_to_r1 = 2 invoke IDS_func if(packet.been_to_r1 == 2) if(router.address!= D) sendto D else invoke Verify_ and_ Deliver Invoke functionality to (cryptographically) prove packet visited middlebox Invoke functionality to verify the middlebox proofs at D
72 Examples Conditioned Middlebox R_D: if(packet.dest_port == 80) sendto D else //Middlebox rule... to port 80 Use the Middlebox only for packets not destined to port 80 R1 IDS functionality S Port 80 Non port 80 D
73 RBF Enables End Users 1. Block unwanted packets in the network 2. (Secure) Control over path using waypoints 3. Use router state in forwarding decisions and record this state 4. Use enhanced functionality at middleboxes and routers, if available
74 RBF Examples Filter ports/prefixes only receive specific traffic Middleboxes Protect against DoS attacks Secure loose path forwarding Anycast Record path state network probing, ECN Mobility Multiple paths On path redirection Delay Tolerant Networks Use on path router functionalities deployed by ISPs Multicast, caching, WAN optimizers...
75 Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
76 Preliminary Evaluation Rule Sizes Bytes Signature Identifier Rule
77 Preliminary Evaluation Rule Sizes Bytes Overheadofonerule one rule is ~60 140bytes Signature Identifier Rule
78 Preliminary Evaluation Rule Sizes Bytes Could be improved in the future Signature Identifier Rule
79 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps
80 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps Rule forwardingincurs incurs little overhead onroutebricks
81 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps No overhead for packets > 300B
82 Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks RBF over RouteBricks RouteBricks alone Gbps Soft router RBF can forward up to 23Gbps
83 Preliminary Evaluation Signatureverification Only at trust boundary routers (see lower traffic than core) Result can be cached Cache is small (e.g. g 14 bytes/rule) and exact match lookup Only 1% of backbone link capacity are packets from new flows (CAIDA 2009 sample) Existing hardware (crypto processors, ASICs, FPGAs) can already handle tens of thousands verifications / s Can be parallelized!
84 Summary & Questions RBF flexible and secure Each packet carries rule Rule expresses how packets should be forwarded and what packets can be forwarded Destination / waypoints approve rules Rule flexible: if then else conditions on packet & router attributes and use of router functionalities Rules are signed by third parties Routers verify authenticity & forward by the rule
Rule-Based Forwarding
Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible
More informationBuilding Extensible Networks with Rule-Based Forwarding
Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica Abstract We present a network design that provides flexible and policy-compliant forwarding.
More informationRule-based Forwarding (RBF): improving the Internet s flexibility and security
1 Introduction Rule-based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa Ion Stoica Sylvia Ratnasamy From active networks [33] to the more recent efforts on GENI [5], a
More informationSecure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe
Secure Neighbor Discovery By- Pradeep Yalamanchili Parag Walimbe Overview Neighbor Discovery Protocol (NDP) Main Functions of NDP Secure Neighbor Discovery (SEND) Overview Types of attacks. NDP Nodes on
More informationA Policy Framework for a Secure
A Policy Framework for a Secure Future Internet Jad Naous(Stanford University) Arun Seehra(UT Austin) Michael Walfish(UT Austin) David Mazières(Stanford University) Antonio Nicolosi(Stevens Institute of
More informationIPv6: An Introduction
Outline IPv6: An Introduction Dheeraj Sanghi Department of Computer Science and Engineering Indian Institute of Technology Kanpur dheeraj@iitk.ac.in http://www.cse.iitk.ac.in/users/dheeraj Problems with
More informationAnd Then There Were More:
David Naylor Carnegie Mellon And Then There Were More: Secure Communication for More Than Two Parties Richard Li University of Utah Christos Gkantsidis Microsoft Research Thomas Karagiannis Microsoft Research
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 7 Week of March 5, 2018 Question 1 DHCP (5 min) Professor Raluca gets home after a tiring day writing papers and singing karaoke. She opens
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationEthane: taking control of the enterprise
Ethane: taking control of the enterprise Martin Casado et al Giang Nguyen Motivation Enterprise networks are large, and complex, and management is distributed. Requires substantial manual configuration.
More informationNetworking: Network layer
control Networking: Network layer Comp Sci 3600 Security Outline control 1 2 control 3 4 5 Network layer control Outline control 1 2 control 3 4 5 Network layer purpose: control Role of the network layer
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationNetworking interview questions
Networking interview questions What is LAN? LAN is a computer network that spans a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected
More informationExamination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS
Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk Date: January 17 th 2006 at 14:00 18:00 SOLUTIONS 1. General (5p) a) Draw the layered
More informationUnderstanding Layer 2 Encryption
Understanding Layer 2 Encryption TECHNICAL WHITEPAPER Benefits of Layer 2 Encryption Lowest cost of ownership Better bandwith efficiency (up to 50%) Minimal ongoing maintenance routing updates transparent
More informationProxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking
NETWORK MANAGEMENT II Proxy Servers Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking resources from the other
More informationConfiguring Basic IP Multicast
IP multicast is a bandwidth-conserving technology that reduces traffic by delivering a single stream of information simultaneously to potentially thousands of corporate businesses and homes. Applications
More informationCCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4
CCNA Exploration Network Fundamentals Chapter 06 Addressing the Network IPv4 Updated: 20/05/2008 1 6.0.1 Introduction Addressing is a key function of Network layer protocols that enables data communication
More informationIntroduction to IPv6. IPv6 addresses
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A = 1080::8:800:200C:417A
More informationIPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local
1 v4 & v6 Header Comparison v6 Ver Time to Live v4 Header IHL Type of Service Identification Protocol Flags Source Address Destination Address Total Length Fragment Offset Header Checksum Ver Traffic Class
More informationIPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land
IPv6 1 IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Ver IHL Type of Service Total Length Ver Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit
More informationCSCI-1680 Network Layer:
CSCI-1680 Network Layer: Wrapup Rodrigo Fonseca Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John JannoA Administrivia Homework 2 is due tomorrow So we can
More informationChapter 2 Advanced TCP/IP
Tactical Perimeter Defense 2-1 Chapter 2 Advanced TCP/IP At a Glance Instructor s Manual Table of Contents Overview Objectives Teaching Tips Quick Quizzes Class Discussion Topics Additional Projects Additional
More informationSafeBricks: Shielding Network Functions in the Cloud
SafeBricks: Shielding Network Functions in the Cloud Rishabh Poddar, Chang Lan, Raluca Ada Popa, Sylvia Ratnasamy UC Berkeley Network Functions (NFs) in the cloud Clients 2 Enterprise Destination Network
More informationSample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.
HP ProCurve Threat Management Services zl Module NPI Technical Training NPI Technical Training Version: 1.00 5 January 2009 2009 Hewlett-Packard Development Company, L.P. The information contained herein
More informationSEN366 (SEN374) (Introduction to) Computer Networks
SEN366 (SEN374) (Introduction to) Computer Networks Prof. Dr. Hasan Hüseyin BALIK (12 th Week) The Internet Protocol 12.Outline Principles of Internetworking Internet Protocol Operation Internet Protocol
More informationCS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis
CS-435 spring semester 2016 Network Technology & Programming Laboratory University of Crete Computer Science Department Stefanos Papadakis & Manolis Spanakis CS-435 Lecture #4 preview ICMP ARP DHCP NAT
More informationNetwork Layer: Control/data plane, addressing, routers
Network Layer: Control/data plane, addressing, routers CS 352, Lecture 10 http://www.cs.rutgers.edu/~sn624/352-s19 Srinivas Narayana (heavily adapted from slides by Prof. Badri Nath and the textbook authors)
More informationMobile IP. Mobile IP 1
Mobile IP Mobile IP 1 Motivation for Mobile IP Routing based on IP destination address, network prefix (e.g. 129.13.42) determines physical subnet change of physical subnet implies change of IP address
More informationMobile Communications Mobility Support in Network Layer
Motivation Mobility support needed to be able to use mobile devices in the Mobile devices need IP address for their communication Applications would like to communicate while being on the move Mobile Communications
More informationService Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)
Service Managed Gateway TM How to Configure and Debug Generic Routing Encapsulation (GRE) Issue 1.1 Date 14 August 2007 Table of Contents 1 About this document...3 1.1 Scope...3 1.2 Readership...3 2 Introduction...4
More informationHistory Page. Barracuda NextGen Firewall F
The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic
More informationCIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec
CIS 6930/4930 Computer and Network Security Topic 8.1 IPsec 1 IPsec Objectives Why do we need IPsec? IP V4 has no authentication IP spoofing Payload could be changed without detection. IP V4 has no confidentiality
More informationExam Questions Demo https://www.certifyforsure.com/dumps/ Cisco. Exam Questions CCIE Security Written Exam.
Cisco Exam Questions 400-251 CCIE Security Written Exam Version:Demo 1.. According to RFC 4890, which three message must be dropped at the transit firewall/router?(choose three.) A. Router Renumbering(Type
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #10 Network Layer Threats; Identity Mgmt. 2015 Patrick Tague 1 Class #10 Summary of wireless network layer threats Specific threats related to
More informationManaging and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer
Managing and Securing Computer Networks Guy Leduc Chapter 7: Securing LANs Computer Networking: A Top Down Approach, 7 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2016. (section 8.8) Also
More informationSleep/Wake Aware Local Monitoring (SLAM)
Sleep/Wake Aware Local Monitoring (SLAM) Issa Khalil, Saurabh Bagchi, Ness Shroff Dependable Computing Systems Lab (DCSL) & Center for Wireless Systems and Applications (CWSA) School of Electrical and
More informationConfiguring IPv6 First-Hop Security
This chapter describes the IPv6 First-Hop Security features. This chapter includes the following sections: Finding Feature Information, on page 1 Introduction to First-Hop Security, on page 1 RA Guard,
More informationHost Identity Indirection Infrastructure Hi 3. Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research
Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question:
More informationLECTURE 8. Mobile IP
1 LECTURE 8 Mobile IP What is Mobile IP? The Internet protocol as it exists does not support mobility Mobile IP tries to address this issue by creating an anchor for a mobile host that takes care of packet
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationContents. Configuring urpf 1
Contents Configuring urpf 1 Overview 1 urpf check modes 1 Features 1 urpf operation 2 Network application 3 Configuration procedure 4 Displaying and maintaining urpf 4 urpf configuration example 4 Configuring
More informationChapter 7 Internet Protocol Version 4 (IPv4) Kyung Hee University
Chapter 7 Internet Protocol Version 4 (IPv4) 1 7.1 Introduction The transmission mechanism used by the TCP/IP Unreliable and connectionless datagram protocol Best-effort delivery service IP packets can
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationInternet Indirection Infrastructure (i3)
Internet Indirection Infrastructure (i3) Ion Stoica UC Berkeley March 20, 2003 The Problem Indirection: a key technique in implementing many network services, e.g., Mobility Multicast, anycast Web caching,
More informationNetwork Security (and related topics)
Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton
More informationNext Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.
Next Week No sections Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other
More informationT Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.
T-0.50 Computer Networks II Mobility Issues 6.0.008 Overview Mobile IP NEMO Transport layer solutions i SIP mobility Contents Prof. Sasu Tarkoma Mobility What happens when network endpoints start to move?
More informationGrandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide
Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide Table of Contents INTRODUCTION... 4 SCENARIO OVERVIEW... 5 CONFIGURATION STEPS... 6 Core Site Configuration... 6 Generate Self-Issued Certificate
More informationLecture 8. Network Layer (cont d) Network Layer 1-1
Lecture 8 Network Layer (cont d) Network Layer 1-1 Agenda The Network Layer (cont d) What is inside a router Internet Protocol (IP) IPv4 fragmentation and addressing IP Address Classes and Subnets Network
More informationHybrid Information-Centric Networking
Hybrid Information-Centric Networking ICN inside the Internet Protocol Luca Muscariello, Principal Engineer Giovanna Carofiglio, Distinguished Engineer Jordan Augé, Michele Papalini, Mauro Sardara, Alberto
More informationIP Security. Have a range of application specific security mechanisms
IP Security IP Security Have a range of application specific security mechanisms eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there are security concerns that cut across protocol layers Would like security
More informationIPv6 Client IP Address Learning
Prerequisites for IPv6 Client Address Learning, on page 1 Information About IPv6 Client Address Learning, on page 1 Configuring IPv6 Unicast, on page 6 Configuring RA Guard Policy, on page 7 Applying RA
More informationA SIMPLE INTRODUCTION TO TOR
A SIMPLE INTRODUCTION TO TOR The Onion Router Fabrizio d'amore May 2015 Tor 2 Privacy on Public Networks Internet is designed as a public network Wi-Fi access points, network routers see all traffic that
More informationLecture 3. The Network Layer (cont d) Network Layer 1-1
Lecture 3 The Network Layer (cont d) Network Layer 1-1 Agenda The Network Layer (cont d) What is inside a router? Internet Protocol (IP) IPv4 fragmentation and addressing IP Address Classes and Subnets
More informationEECS 122: Introduction to Computer Networks Switch and Router Architectures. Today s Lecture
EECS : Introduction to Computer Networks Switch and Router Architectures Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,
More informationEEC-684/584 Computer Networks
EEC-684/584 Computer Networks Lecture 14 wenbing@ieee.org (Lecture nodes are based on materials supplied by Dr. Louise Moser at UCSB and Prentice-Hall) Outline 2 Review of last lecture Internetworking
More informationVirtual Private Networks.
Virtual Private Networks thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/ Content Virtual Private Networks VPN Basics Protocols (IPSec, PPTP, L2TP) Objectives of VPNs Earlier Companies
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationA Framework for Optimizing IP over Ethernet Naming System
www.ijcsi.org 72 A Framework for Optimizing IP over Ethernet Naming System Waleed Kh. Alzubaidi 1, Dr. Longzheng Cai 2 and Shaymaa A. Alyawer 3 1 Information Technology Department University of Tun Abdul
More informationRID IETF Draft Update
RID IETF Draft Update Kathleen M. Moriarty INCH Working Group 5 August 2004 This work was sponsored by the Air Force under Air Force Contract Number F19628-00-C-0002. "Opinions, interpretations, conclusions,
More informationIP Address Assignment
IP Address Assignment An IP address does not identify a specific computer. Instead, each IP address identifies a connection between a computer and a network. A computer with multiple network connections
More informationCharles Perkins Nokia Research Center 2 July Mobility Support in IPv6 <draft-ietf-mobileip-ipv6-14.txt> Status of This Memo
IETF Mobile IP Working Group INTERNET-DRAFT David B. Johnson Rice University Charles Perkins Nokia Research Center 2 July 2000 Mobility Support in IPv6 Status of This
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More informationCISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks
CISNTWK-440 Intro to Network Security Chapter 4 Network Vulnerabilities and Attacks Objectives Explain the types of network vulnerabilities List categories of network attacks Define different methods of
More informationMetro Ethernet Design and Engineering for CO
Hands-On Metro Ethernet Design and Engineering for CO Designing Carrier Networks that Deliver Metro Ethernet Services Course Description Carriers have offered connectivity services based on traditional
More informationLecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005
Firewalls Lecture 33 Security April 15, 2005 Idea: separate local network from the Internet Trusted hosts and networks Intranet Firewall DMZ Router Demilitarized Zone: publicly accessible servers and networks
More informationLecture Computer Networks
Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Lecture Computer Networks Internet Protocol
More informationVPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist
VPN World MENOG 16 Istanbul-Turkey By Ziad Zubidah Network Security Specialist What is this Van used for?! Armed Van It used in secure transporting for valuable goods from one place to another. It is bullet
More informationTCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12
TCP/IP Networking Training Details Training Time : 9 Hours Capacity : 12 Prerequisites : There are no prerequisites for this course. About Training About Training TCP/IP is the globally accepted group
More informationIntroduction to IPv6. IPv6 addresses
Introduction to IPv6 (Chapter 4 in Huitema) IPv6,Mobility-1 IPv6 addresses 128 bits long Written as eight 16-bit integers separated with colons E.g. 1080:0000:0000:0000:0000:0008:200C:417A = 1080::8:800:200C:417A
More informationGeneric Architecture. EECS 122: Introduction to Computer Networks Switch and Router Architectures. Shared Memory (1 st Generation) Today s Lecture
Generic Architecture EECS : Introduction to Computer Networks Switch and Router Architectures Computer Science Division Department of Electrical Engineering and Computer Sciences University of California,
More informationECE 158A: Lecture 7. Fall 2015
ECE 158A: Lecture 7 Fall 2015 Outline We have discussed IP shortest path routing Now we have a closer look at the IP addressing mechanism We are still at the networking layer, we will examine: IP Headers
More informationInternet Indirection Infrastructure. Karthik Lakshminarayanan UC Berkeley
Internet Indirection Infrastructure Karthik Lakshminarayanan UC Berkeley Contrasting LNA, HIP, and i3 LNA = Layered Naming Architecture LNA, HIP, i3: All network architecture proposals Separate location
More informationThe IP Data Plane: Packets and Routers
The IP Data Plane: Packets and Routers EE 122, Fall 2013 Sylvia Ratnasamy http://inst.eecs.berkeley.edu/~ee122/ Material thanks to Ion Stoica, Scott Shenker, Jennifer Rexford, Nick McKeown, and many other
More informationScalability Considerations
3 CHAPTER This chapter presents the following steps to selecting Cisco products for a VPN solution: Sizing the headend Choosing Cisco products that can be deployed for headend devices Product sizing and
More informationA consumer-driven access control approach to censorship circumvention in content-centric networking
A consumer-driven access control approach to censorship circumvention in content-centric networking Jun Kurihara, Kenji Yokota and Atsushi Tagami KDDI R&D Laboratories, Inc. ACM ICN 2016 Kyoto, Japan,
More informationInternet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana. UC Berkeley SIGCOMM 2002
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Motivations Today s Internet is built around a unicast pointto-point
More informationET4254 Communications and Networking 1
Topic 9 Internet Protocols Aims:- basic protocol functions internetworking principles connectionless internetworking IP IPv6 IPSec 1 Protocol Functions have a small set of functions that form basis of
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #12 Routing Security; Forwarding Security 2016 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5 minutes
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationWireless Network Security Spring 2013
Wireless Network Security 14-814 Spring 2013 Patrick Tague Class #11 Control-Plane Routing Misbehavior Agenda Control-Plane Routing Misbehavior MANET Routing Misbehavior at the control-plane Toward secure
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Security in Network Layer Implementing security in application layer provides flexibility in security
More informationCSE398: Network Systems Design
CSE398: Network Systems Design Instructor: Dr. Liang Cheng Department of Computer Science and Engineering P.C. Rossin College of Engineering & Applied Science Lehigh University March 14, 2005 Outline Classification
More informationInternet Control Message Protocol
Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.
More informationVirtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.
Issue 21 Date 2018-09-30 HUAWEI TECHNOLOGIES CO., LTD. Copyright Huawei Technologies Co., Ltd. 2018. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any
More informationinternet technologies and standards
Institute of Telecommunications Warsaw University of Technology 2017 internet technologies and standards Piotr Gajowniczek Andrzej Bąk Michał Jarociński Network Layer The majority of slides presented in
More information2016/01/17 04:04 1/9 Basic Routing Lab
2016/01/17 04:04 1/9 Basic Routing Lab Basic Routing Lab Introduction The purpose of this exercise is to introduce participants to the basic configuration requirements of a Cisco router. The network topology
More informationImplementing Secure Socket Layer
This module describes how to implement SSL. The Secure Socket Layer (SSL) protocol and Transport Layer Security (TLS) are application-level protocols that provide for secure communication between a client
More informationAgenda. Forwarding (after a little more addressing) Follow-up from last time. Dealing with Address Scarcity. Sharing a Block of Addresses
Agenda Forwarding (after a little more addressing) EE22 Fall 20 Scott Shenker http://inst.eecs.berkeley.edu/~ee22/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues
More informationComputer Networks Prof. Ashok K. Agrawala
CMSC417 Computer Networks Prof. Ashok K. Agrawala 2017 Ashok Agrawala September 25, 2018 Fall 2018 CMSC417 1 Message, Segment, Packet, and Frame Fall 2018 CMSC417 2 Hierarchical Routing Hierarchical routing.
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #11 Routing and Forwarding Security 2015 Patrick Tague 1 Class #11 Basics of routing in ad hoc networks Control-plane attacks and defenses Data-plane
More informationRouter Architecture Overview
Chapter 4: r Introduction (forwarding and routing) r Review of queueing theory r Router design and operation r IP: Internet Protocol m IPv4 (datagram format, addressing, ICMP, NAT) m Ipv6 r Generalized
More informationDGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window
9. Security DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide Port Security 802.1X AAA RADIUS TACACS IMPB DHCP Server Screening ARP Spoofing Prevention MAC Authentication Web-based
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationProtocol for Tetherless Computing
Protocol for Tetherless Computing S. Keshav P. Darragh A. Seth S. Fung School of Computer Science University of Waterloo Waterloo, Canada, N2L 3G1 1. Introduction Tetherless computing involves asynchronous
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationIPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network
White Paper IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network What You Will Learn IPv6 Rapid Deployment (6rd) (RFC 5969) 6rd is a stateless tunneling mechanism which allows
More informationCSC Network Security
CSC 474 -- Security Topic 9. Firewalls CSC 474 Dr. Peng Ning 1 Outline Overview of Firewalls Filtering Firewalls Proxy Servers CSC 474 Dr. Peng Ning 2 Overview of Firewalls CSC 474 Dr. Peng Ning 3 1 Internet
More information