Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs
Motivation Improve network s flexibility Middlebox support, multi path routing, loose path routing, mobility, delay tolerant communications, active nodes Improve network s security In network filters, network capabilities, default off Typically conflicting goals and mechanisms
Motivation Example Flexibility circumvents security DoS Attack
Motivation Example Flexibility circumvents security In network filters protect the destination
Motivation Example Flexibility circumvents security In network filters protect the destination Middlebox suport & loose path routing may enable users to bypass in network filters
Motivation Example Flexibility circumvents security In network filters protect the destination Flexibility may circumvent security Middlebox suport & loose path routing may enable users to bypass in network filters
Motivation Example Security limits flexiblity Network capabilities bind a communication to a path
Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Mobile nodes may change paths frequently
Motivation Example Security limits flexiblity Network capabilities bind a communication to a path Security may limit flexibility Mobile nodes may change paths frequently
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet Rule specifies How packets should be forwarded Flexibility What packets can be forwarded Security
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
Rule based Forwarding (RBF) Overview Packet forwarded on rules instead of destination addresses Rule Packet 1. Rules are mandatory 2. Rules are provably valid All recipients in rule (destination, waypoints) explicitly agree to receive the associated packets 3. Rules are provably safe Cannot exhaust network resources 4. Rules are flexible End hosts can control path & use in network functionality
Rule based Forwarding (RBF) Overview Destinations own rules Senders Insert rules in packets Obtain destination s rule via an extended DNS DNS S D R_D Payload D s rule Packet may also contain a return rule
Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
RBF Mechanism Specification Rules: sequence of actions conditioned by if then else statements if(<condition>) ACTION1 else ACTION2 Conditions: comparison operations on packet & router attributes Example: drop packets if port different than 80 if(packet.dest_port!= 80) drop
RBF Mechanism Actions At each router, rule can: 1. Modify packet header 2. Drop packet 3. Forward i. To destination / next waypoint as specified by the rule ii. To upper layers: Invoke specific functionality / Transport
RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes
RBF Mechanism Attributes RBF packet header contains attributes E.g. packet s next destination, whether the packet visited a middlebox, etc. Rules can modify packet attributes Rules cannot modify anything else in the packet Rule Attributes Payload RBF routers may expose router attributes E.g. router s address, queue size, specific functionality, etc. Rules cannot modify router attributes Router Attributes
RBF Mechanism Illustration Router Attributes Rule Attributes Payload
RBF Mechanism Illustration Router Attributes Rule Attributes Payload
RBF Mechanism Illustration Router Attributes Rule Attributes Payload
RBF Mechanism Illustration Router Attributes Rule Attributes Payload
RBF Mechanism Illustration Router Attributes Rule Attributes Payload A. Forward to next hop
RBF Mechanism Illustration Router Attributes Rule Attributes Payload B. Drop A. Forward to next hop
RBF Mechanism Illustration Router Attributes Functionality Rule Attributes Payload C. Invoke router / middlebox functionality B. Drop A. Forward to next hop
RBF Mechanism Division of control End host control ISP/Mbox control Rules cannot Replicate packets Rule Payload Keep state at routers Modify packet payload Implement algorithms other than comparisons Functionality Rules can leverage functionalityat at enhanced routers & middleboxes for this purpose E.g. IDS, encryption, multicast, etc. Under the control of ISPs owning routers & middlebox owners!
RBF Mechanism Above IP Rules not about route discovery or route computation RBF reuses IP for this purpose ISPs control IP layer Rule based Forwarding RBF Routing controlled Forwarding IP Packet attributes 5 tuple IP source/ destination, transport ports, protocol User defined attributes with arbitrary semantics
Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
RBF Security Valid Rules Example: Unicast Current Internet S destination = D D
RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule
RBF Security Valid Rules Example: Unicast RBF S sendto D D Rule Signature: proves D s approval to receive packets onthis rule
RBF Security Valid Rules Example: Unicast RBF S sendto D D Routers verify the rule signature. If it fails they drop the packet.
RBF Security Valid Rules Example: Unicast RBF S sendto D D Even if someone knows D s address, it cannot send packets to D without an approved rule
RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism
RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF uses an anti spoofing mechanism
RBF Security Infrastructure Rules certified by trusted third parties Rule Certification Entities (RCEs) Ensures rules are valid and safe Rules cannot be tampered Rules have associated leases RBF requires an anti spoofing mechanism
RBF Security Signature Verification Routers know the public keys of all RCEs Not too many RCEs Can signatures be verified on the data plane? Not all routers need to verify signatures Trust boundary routers only Not all packets need to be verified Verifications can be cached
RBF Security Rule Creation & Certification For non sophisticated users, rules can be returned by an extended DHCP Destinations ask RCEs to certify their rules RCEs contracted by ISP ordirectly D RCE
Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary evaluation
Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D
Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules
Examples DoS protection Create capability like rules, e.g. for a client with address S R_S_D: if(packet.source!= S) drop sendto D D can control number simultaneous clients by controlling number of rules Need a way to grant rules on demand Dynamic DNS
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E forwards rule requests to D DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D s incoming rate is controlled DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E D cannot be contacted directly DNS RED R_E_D D s Ds rule =? D S E performs rate throttling
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS RED R_E_D D s Ds rule =? D S R_E_D allows only traffic from E to D
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S Create & certify capability like rule R_S_D for S
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S R_S_D
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E DNS D S R_S_D Capability like lik rule
Examples DoS protection D can protect against DoS by redirecting its DNS entry to a large entity E E E not easily DoSed DNS D S R_S_D
Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E is a large entity with RCE functionality DNS E Rule granting policy D S RS R_S RSD R_S_D
Examples DoS protection Alternatively, to not involve D, E could create & certify rules in D s name E DNS D S R_S_D
Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 S D
Examples Waypoint R_D: Go to R1 before reaching D Waypoint R1 R_D needs to be approved by R1 S D
Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D R1 S D
Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D packet attribute that indicates if packet has visited R1 or not yet R1 S R_D been_to_r1 = 0 D
Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D Before the waypoint R1 S R_D been_to_r1 = 0 D
Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D At the waypoint R1 router.address = R1 R_D been_to_r1 = 1 S D
Examples Waypoint R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 if(packet.been_to_r1 == 1) sendto D After the waypoint R1 S R_D been_to_r1 = 1 D
Examples Waypoint R_S:... Return rule R1 S R_S R_S s attributes D
Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 IDS functionality Addition to the waypoint rule S D
Examples Middlebox R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Can also use such invoke IDS_func functionalities at enhanced if(packet.been_to_r1 == 1) on path routers! sendto D R1 IDS functionality S D
Examples Provenance Verification R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke IDS_func if(packet.been_to_r1 == 1) sendto D R1 Malicious user could set the packet attributes such as to appear packet has visited the middlebox S R_D been_to_r1 = 1 D
Examples Provenance Verification (1) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 Allow only packets kt from R1 packet.source = R1 when state equals 1 invoke IDS_func if(packet.been_to_r1 to == 1) if(packet.source == R1) sendto D Anti spoofing does not allow spoofing the source attribute
Examples Provenance Verification (2) R_D: if(packet.been_to_r1 == 0) if(router.address!= R1) sendto R1 else packet.been_to_r1 = 1 invoke Crypto_proof if(packet.been_to_r1 == 1) packet. been_to_r1 = 2 invoke IDS_func if(packet.been_to_r1 == 2) if(router.address!= D) sendto D else invoke Verify_ and_ Deliver Invoke functionality to (cryptographically) prove packet visited middlebox Invoke functionality to verify the middlebox proofs at D
Examples Conditioned Middlebox R_D: if(packet.dest_port == 80) sendto D else //Middlebox rule... to port 80 Use the Middlebox only for packets not destined to port 80 R1 IDS functionality S Port 80 Non port 80 D
RBF Enables End Users 1. Block unwanted packets in the network 2. (Secure) Control over path using waypoints 3. Use router state in forwarding decisions and record this state 4. Use enhanced functionality at middleboxes and routers, if available
RBF Examples Filter ports/prefixes only receive specific traffic Middleboxes Protect against DoS attacks Secure loose path forwarding Anycast Record path state network probing, ECN Mobility Multiple paths On path redirection Delay Tolerant Networks Use on path router functionalities deployed by ISPs Multicast, caching, WAN optimizers...
Outline Motivation RBF Approach Overview RBF Forwarding Mechanism RBF Security Mechanism Examples Preliminary Evaluation
Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Signature Identifier Rule
Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Overheadofonerule one rule is ~60 140bytes Signature Identifier Rule
Preliminary Evaluation Rule Sizes 140 120 100 Bytes 80 60 40 20 0 Could be improved in the future Signature Identifier Rule
Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0
Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 Rule forwardingincurs incurs little overhead onroutebricks
Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 No overhead for packets > 300B
Preliminary Evaluation Forwarding using rules RBF implemented in Click applied on top of RouteBricks 25 20 15 RBF over RouteBricks RouteBricks alone Gbps 10 5 0 Soft router RBF can forward up to 23Gbps
Preliminary Evaluation Signatureverification Only at trust boundary routers (see lower traffic than core) Result can be cached Cache is small (e.g. g 14 bytes/rule) and exact match lookup Only 1% of backbone link capacity are packets from new flows (CAIDA 2009 sample) Existing hardware (crypto processors, ASICs, FPGAs) can already handle tens of thousands verifications / s Can be parallelized!
Summary & Questions RBF flexible and secure Each packet carries rule Rule expresses how packets should be forwarded and what packets can be forwarded Destination / waypoints approve rules Rule flexible: if then else conditions on packet & router attributes and use of router functionalities Rules are signed by third parties Routers verify authenticity & forward by the rule