Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Similar documents
Rule-Based Forwarding

Building Extensible Networks with Rule-Based Forwarding

Rule-based Forwarding (RBF): improving the Internet s flexibility and security

Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

A Policy Framework for a Secure

IPv6: An Introduction

And Then There Were More:

CS 161 Computer Security

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Ethane: taking control of the enterprise

Networking: Network layer

Interdomain Routing Design for MobilityFirst

Networking interview questions

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Understanding Layer 2 Encryption

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Configuring Basic IP Multicast

CCNA Exploration Network Fundamentals. Chapter 06 Addressing the Network IPv4

Introduction to IPv6. IPv6 addresses

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

CSCI-1680 Network Layer:

Chapter 2 Advanced TCP/IP

SafeBricks: Shielding Network Functions in the Cloud

Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

SEN366 (SEN374) (Introduction to) Computer Networks

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Network Layer: Control/data plane, addressing, routers

Mobile IP. Mobile IP 1

Mobile Communications Mobility Support in Network Layer

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

History Page. Barracuda NextGen Firewall F

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

Exam Questions Demo Cisco. Exam Questions CCIE Security Written Exam.

Wireless Network Security Spring 2015

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Sleep/Wake Aware Local Monitoring (SLAM)

Configuring IPv6 First-Hop Security

Host Identity Indirection Infrastructure Hi 3. Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research

LECTURE 8. Mobile IP

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Contents. Configuring urpf 1

Chapter 7 Internet Protocol Version 4 (IPv4) Kyung Hee University

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

Internet Indirection Infrastructure (i3)

Network Security (and related topics)

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Lecture 8. Network Layer (cont d) Network Layer 1-1

Hybrid Information-Centric Networking

IP Security. Have a range of application specific security mechanisms

IPv6 Client IP Address Learning

A SIMPLE INTRODUCTION TO TOR

Lecture 3. The Network Layer (cont d) Network Layer 1-1

EECS 122: Introduction to Computer Networks Switch and Router Architectures. Today s Lecture

EEC-684/584 Computer Networks

Virtual Private Networks.

CS 356 Internet Security Protocols. Fall 2013

A Framework for Optimizing IP over Ethernet Naming System

RID IETF Draft Update

IP Address Assignment

Charles Perkins Nokia Research Center 2 July Mobility Support in IPv6 <draft-ietf-mobileip-ipv6-14.txt> Status of This Memo

OpenADN: A Case for Open Application Delivery Networking

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Metro Ethernet Design and Engineering for CO

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Lecture Computer Networks

VPN World. MENOG 16 Istanbul-Turkey. By Ziad Zubidah Network Security Specialist

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

Introduction to IPv6. IPv6 addresses

Generic Architecture. EECS 122: Introduction to Computer Networks Switch and Router Architectures. Shared Memory (1 st Generation) Today s Lecture

ECE 158A: Lecture 7. Fall 2015

Internet Indirection Infrastructure. Karthik Lakshminarayanan UC Berkeley

The IP Data Plane: Packets and Routers

Scalability Considerations

A consumer-driven access control approach to censorship circumvention in content-centric networking

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana. UC Berkeley SIGCOMM 2002

ET4254 Communications and Networking 1

Wireless Network Security Spring 2016

Virtual Private Network

Wireless Network Security Spring 2013

CSCE 715: Network Systems Security

CSE398: Network Systems Design

Internet Control Message Protocol

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

internet technologies and standards

2016/01/17 04:04 1/9 Basic Routing Lab

Implementing Secure Socket Layer

Agenda. Forwarding (after a little more addressing) Follow-up from last time. Dealing with Address Scarcity. Sharing a Block of Addresses

Computer Networks Prof. Ashok K. Agrawala

Wireless Network Security Spring 2015

Router Architecture Overview

DGS-1510 Series Gigabit Ethernet SmartPro Switch Web UI Reference Guide. Figure 9-1 Port Security Global Settings window

Overview. SSL Cryptography Overview CHAPTER 1

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Protocol for Tetherless Computing

CIS Controls Measures and Metrics for Version 7

IPv6 Rapid Deployment: Provide IPv6 Access to Customers over an IPv4-Only Network

CSC Network Security

Transcription:

Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Motivation Improve network s flexibility Middlebox support, multi path routing, loose path routing, mobility, delay tolerant communications, active nodes Improve network s security In network filters, network capabilities, default off Typically conflicting goals and mechanisms

Motivation Example Flexibility circumvents security DoS Attack

Motivation Example Flexibility circumvents security In network filters protect the destination

Motivation Example Flexibility circumvents security In network filters protect the destination Middlebox suport & loose path routing may enable users to bypass in network filters

Motivation Example Flexibility circumvents security In network filters protect the destination Flexibility may circumvent security Middlebox suport & loose path routing may enable users to bypass in network filters

Motivation Example Security limits flexiblity Network capabilities bind a communication to a path

Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Mobile nodes may change paths frequently

Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Security may limit flexibility Mobile nodes may change paths frequently

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet Rule specifies How packets should be forwarded Flexibility What packets can be forwarded Security

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality

Rule based Forwarding (RBF) Overview Destinations own rules Senders Insert rules in packets Obtain destination s rule via an extended DNS DNS S D R_D Payload D s rule Packet may also contain a return rule

Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

RBF Mechanism Specification Rules: sequence of actions conditioned by if then else statements if(<condition>) ACTION1 else ACTION2 Conditions: comparison operations on packet & router attributes Example: drop packets if port different than 80 if(packet.dest_port!= 80) drop

RBF Mechanism Actions At each router, rule can: 1. Modify packet header 2. Drop packet 3. Forward i. To destination / next waypoint as specified by the rule ii. To upper layers: Invoke specific functionality / Transport

RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes

RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes

RBF Mechanism Illustration Router Attributes Rule Attributes Payload

RBF Mechanism Illustration Router Attributes Rule Attributes Payload

RBF Mechanism Illustration Router Attributes Rule Attributes Payload

RBF Mechanism Illustration Router Attributes Rule Attributes Payload

RBF Mechanism Illustration Router Attributes Rule Attributes Payload A. Forward to next hop

RBF Mechanism Illustration Router Attributes Rule Attributes Payload B. Drop A. Forward to next hop

RBF Mechanism Illustration Router Attributes Functionality Rule Attributes Payload C. Invoke router / middlebox functionality B. Drop A. Forward to next hop

RBF Mechanism Division of control End host control ISP/Mbox control Rules cannot Replicate packets Rule Payload Keep state at routers Modify packet payload Implement algorithms other than comparisons Functionality Rules can leverage functionalityat at enhanced routers & middleboxes for this purpose E.g. IDS, encryption, multicast, etc. Under the control of ISPs owning routers & middlebox owners!

RBF Mechanism Above IP Rules not about route discovery or route computation RBF reuses IP for this purpose ISPs control IP layer Rule based Forwarding RBF Routing controlled Forwarding IP Packet attributes 5 tuple IP source/ destination, transport ports, protocol User defined attributes with arbitrary semantics

Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

RBF Security Valid Rules Example: Unicast Current Internet S destination = D D

RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule

RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule Signature: proves D s approval to receive packets onthis rule

RBF Security Valid Rules Example: Unicast RBF S sendto D D Routers verify the rule signature. If it fails they drop the packet.

RBF Security Valid Rules Example: Unicast RBF S sendto D D Even if someone knows D s address, it cannot send packets to D without an approved rule

RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism

RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism

RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF requires an anti spoofing mechanism

RBF Security Signature Verification Routers know the public keys of all RCEs Not too many RCEs Can signatures be verified on the data plane? Not all routers need to verify signatures Trust boundary routers only Not all packets need to be verified Verifications can be cached

RBF Security Rule Creation & Certification For non sophisticated users, rules can be returned by an extended DHCP Destinations ask RCEs to certify their rules RCEs contracted by ISP ordirectly D RCE

Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary evaluation

Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D

Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules

Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules Need a way to grant rules on demand Dynamic DNS

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E forwards rule requests to D DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D s incoming rate is controlled DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D cannot be contacted directly DNS RED R_E_D D s Ds rule =? D S E performs rate throttling

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS RED R_E_D D s Ds rule =? D S R_E_D allows only traffic from E to D

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S Create & certify capability like rule R_S_D for S

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S R_S_D

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D Capability like lik rule

Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E not easily DoSed DNS D S R_S_D

Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E is a large entity with RCE functionality DNS E Rule granting policy D S RS R_S RSD R_S_D

Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E DNS D S R_S_D

Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 S D

Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 R_D needs to be approved by R1 S D

Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D R1 S D

Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D packet attribute that indicates if packet has visited R1 or not yet R1 S R_D been_to_r1 = 0 D

Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D Before the waypoint R1 S R_D been_to_r1 = 0 D

Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D At the waypoint R1 router.address = R1 R_D been_to_r1 = 1 S D

Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D After the waypoint R1 S R_D been_to_r1 = 1 D

Examples Waypoint R_S:... Return rule R1 S R_S R_S s attributes D

Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 IDS functionality Addition to the waypoint rule S D

Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Can also use such invoke IDS_func functionalities at enhanced if(packet.been_to_r1 == 1) on path routers! sendto D R1 IDS functionality S D

Examples Provenance Verification R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 Malicious user could set the packet attributes such as to appear packet has visited the middlebox S R_D been_to_r1 = 1 D

Examples Provenance Verification (1) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Allow only packets kt from R1 packet.source = R1 when state equals 1 invoke IDS_func if(packet.been_to_r1 to == 1) if(packet.source == R1) sendto D Anti spoofing does not allow spoofing the source attribute

Examples Provenance Verification (2) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke Crypto_proof if(packet.been_to_r1 == 1) packet. been_to_r1 = 2 invoke IDS_func if(packet.been_to_r1 == 2) if(router.address!= D) sendto D else invoke Verify_ and_ Deliver Invoke functionality to (cryptographically) prove packet visited middlebox Invoke functionality to verify the middlebox proofs at D

Examples Conditioned Middlebox R_D: if(packet.dest_port == 80) sendto D else //Middlebox rule... to port 80 Use the Middlebox only for packets not destined to port 80 R1 IDS functionality S Port 80 Non port 80 D

RBF Enables End Users 1. Block unwanted packets in the network 2. (Secure) Control over path using waypoints 3. Use router state in forwarding decisions and record this state 4. Use enhanced functionality at middleboxes and routers, if available

RBF Examples Filter ports/prefixes only receive specific traffic Middleboxes Protect against DoS attacks Secure loose path forwarding Anycast Record path state network probing, ECN Mobility Multiple paths On path redirection Delay Tolerant Networks Use on path router functionalities deployed by ISPs Multicast, caching, WAN optimizers...

Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation

Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Signature Identifier Rule

Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Overheadofonerule one rule is ~60 140bytes Signature Identifier Rule

Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Could be improved in the future Signature Identifier Rule

Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0

Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 Rule forwardingincurs incurs little overhead onroutebricks

Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 No overhead for packets > 300B

Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 Soft router RBF can forward up to 23Gbps

Preliminary Evaluation Signatureverification Only at trust boundary routers (see lower traffic than core) Result can be cached Cache is small (e.g. g 14 bytes/rule) and exact match lookup Only 1% of backbone link capacity are packets from new flows (CAIDA 2009 sample) Existing hardware (crypto processors, ASICs, FPGAs) can already handle tens of thousands verifications / s Can be parallelized!

Summary & Questions RBF flexible and secure Each packet carries rule Rule expresses how packets should be forwarded and what packets can be forwarded Destination / waypoints approve rules Rule flexible: if then else conditions on packet & router attributes and use of router functionalities Rules are signed by third parties Routers verify authenticity & forward by the rule

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback