Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

Published byRobyn Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,"— Presentation transcript:

1 March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University, ** University of Goettingen Presented by Henning Schulzrinne

2 March 2009IETF 74 - NSIS2 Overview of PBS NSLP Objective –Preventing Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. Authorization –Permission is granted by the intended receiver. –Permission represents the authority to send data. Deny-by-default –In closed network (all end users have PBS NSLP functionalities) The unauthorized traffic without permission are dropped at the first router by default. –In the open Internet (some end users do not have PBS NSLP functionalities) The traffic from the end users who do not have PBS NSLP functionalities are rate-limited by default.

3 PBS NSLP Signaling Message 3 Two-way handshake –Query message Sent by a sender to request permission. Carry the flow identification (5-tuple) of the data packet. Flow identification: descriptor of flow –Permission message Sent by a receiver. Set up (grant), remove (revoke) and modify permission state. Carry permission, time limit, flow identification Trigger reaction mechanism against the attacks. Soft-state –Robustness of the system –Periodic refreshment of the permission state Peer-to-Peer delivery –The signaling messages are delivered in peer-to-peer fashion between the nodes that have PBS NSLP functionality March 2009IETF 74 - NSIS

4 March 2009IETF 74 - NSIS4 PBS NSLP architecture On-path signaling (PBS NSLP processing/ GIST processing) –Install and maintain permission state. –Monitor attacks. –Trigger reaction mechanism against the attacks. –Distribute public key (X.509 certificate) and session key Authorization –Decide the grants of permission (amount of data volume) for a flow –Detect and identify the attack. –Decide the reaction mechanism against the attacks. IPsec AH Changing data path Traffic management –Handle all incoming message. –IP packet filter drops the unauthorized packets. –Monitor data flow (check the total volume of the data flow).

5 Implementation structure PBS NSLP / GIST –Finite state machine FSM controls the state of each node. –Message creation and parsing Signaling messages are created and parsed at each node that has a PBS NSLP functionality. –Public key distribution OpenSSL: X.509 certificate –Signaling message authentication OpenSSL: The public key cryptography for the message authentication –GIST API IPC (Unix socket): Communication between GIST and PBS NSLP Selection of UDP/TCP/TLS: channel reliability and security March 2009IETF 74 - NSIS5

6 Implementation structure Authorization –State table Hashtable: permission state, IPsec state Traffic management –Userspace IPsec module: A modular IPsec stack which relies on user space netfilter queue module: get the packets (if a rule matches) to user space OpenSSL: public key cryptography for IPsec authentication field –Netfilter/IPtables libiptc: interface filter tables in the kernel space iptables: filter IP packets –Linux kernel routing table route: set up the data path (Linux kernel routing table is used). March 2009IETF 74 - NSIS6

7 PBS implementation architecture 7 User level Kernel level On-path signaling PBS NSLP Processing (OpenSSL) NTLP (GIST) Processing Linux kernel routing table (route) Netfilter IP packet filtering (iptables) Control and configurationData flowSignal flow State table: permission state, IPsec state (Hashtable) Userspace IPsec module (netfilter queue module, libiptc, OpenSSL) Network device Network device Authorization Traffic management March 20097IETF 74 - NSIS

8 CPU usage AMD Opteron Processor 148 2GB RAM Single processor (2.2 GHz CPU) Linux with kernel version 2.6.15

9 Kernel IP routing table Destination Gateway Genmask Flags Iface 192.168.20.0 * 255.255.255.0 U eth0 192.168.21.0 * 255.255.255.0 U eth1 Kernel IP routing table Destination Gateway Genmask Flags Iface 192.168.21.0 192.168.20.3 255.255.255.0 UG eth0 Kernel IP routing table Destination Gateway Genmask Flags Iface 192.168.20.0 192.168.21.3 255.255.255.0 UG eth0 Dest: 192.168.21.4 Dest: 192.168.21.5 Router Eth0 192.168.20.3 Router Eth1 192.168.21.3 Sender 1 192.168.20.1 Sender 2 192.168.20.2 Receiver 2 192.168.21.5 Receiver 1 192.168.21.4 CPU usage measurement point Testbed setup and network configuration

10 Number of concurrent sessions that can be handled  600 (Q, P) messages /sec  36,000 concurrent flows with 60 sec refresh period with fair queue

11 Backup slides March 2009IETF 74 - NSIS11

12 PBS architecture 12 Authorization Traffic Management Control and configuration Data flow Signal flow PBS NSLP Processing NTLP (GIST) Processing March 2009IETF 74 - NSIS On-path signaling

13 State - 1: Idle, 2: wait for P, 3: Permission state, 4: compare SV and AV Send Q Recv P & P(AV!=N) || apply IPsec for data Send Data SV< AV T.O. || change route & send Q Recv P & P(AV=0) SV > AV || remove permission state TTL=0 OR recv P(AV = 0) || remove permission state Recv P (new security algorithm) || Change the security algorithm for IPsec Event || Action Q: Query message, P: Permission message, T.O.: Time out AV: The number of bytes that the receiver allows SV: The number of bytes that the sender has been sent 1 2 3 4 FSM: Sender March 200913IETF 74 - NSIS

14 Recv Q Grant || setup permission state & install SA & send P(AV!=0, shared key) TTL =0 OR No refresh || remove state and SA & send P(AV=0) Recv Q (SV) SV = RV || Send P Increase security|| send P(new security algorithm) RV < AVRV > AV || remove state and SA & send P(AV=0) IPsec verification failed || Drop Recv Data Decline || Send P(AV=0) IPsec verification success || calculate RV SV != RV Revoke permission|| Remove state and SA & Send P(AV=0) Event || Action RV: The number of bytes that the receiver has been received State - 1: IDLE, 2: Permission decision, 3: Permission state, 4: IPsec verification, 5: compare RV and AV, 6: compare RV and SV, 7: Policy decision 1 2 3 4 5 6 7 FSM: Receiver March 200914IETF 74 - NSIS

15 Recv Q || forward Q IPsec verification success || calculate RV Recv P (AV!=0) || setup permission state and SA RV < AV || forward Data IPsec verification failed || Drop Data Recv Data Recv P(AV=0) Recv Q RV > AV || Drop Data TTL=0 OR recv P (AV = 0) OR No refresh || remove state and SA Recv P (new security algorithm) || Change the security algorithm for IPsec Event || Action RV: The number of bytes that the receiver has been received State - 1: Idle, 2: Wait for P, 3: Permission state, 4: IPsec verification, 5: compare RV and AV 1 2 3 4 5 FSM: Router March 200915IETF 74 - NSIS

16 16 Query (10MB, FID) Sender R1 R2 Receiver T Permission (10MB, TTL, FID) Permission Query Query (10MB, FID) Permission (10MB, TTL, FID) Install permission state PBS NSLP Signaling Message March 200916IETF 74 - NSIS

17 Basic operation of prevention 17 Q (FID,PKey,Auth) SenderR1 R2 Receiver Data flow / IPsec Attack flow IPsec verification failed P (10MB, FID, Pkey, Skey, Auth) IPsec verification success Data flow / IPsec Q ( FID,Pkey,Auth) P (10MB, FID,Pkey, Skey, Auth) Auth verification success March 200917IETF 74 - NSIS

18 PBS Detection Algorithm (PDA) 18 Basic operation of PDA Sender R1R3Receiver Spoof sender’s address, and has the shared key T Data (size=1MB)/ IPsec (symm key) Q P (10MB) Q (1MB) P (public key crypto) Q (1MB) Detect attack (1MB Vs 3MB) Attack (size=2MB) IPsec (symm key) Attack (size=2MB) IPsec (symm key) P (public key crypto) P (10MB) QQQ Total 3MB Data (size=1MB)/ IPsec (symm key) Data (size=1MB)/ IPsec (symm key) Data (size=1MB)/ IPsec (symm key) Data (size=1MB)/ IPsec (Public key) Data (size=1MB)/ IPsec (Public key) Data (size=1MB)/ IPsec (Public key) Data (size=1MB)/ IPsec (Public key) Total 1MB March 2009IETF 74 - NSIS

19 PBS Detection Algorithm (PDA) 19 Detection of black hole attack T.O. R1R3ReceiverSender (Attacker, Drop attack) Query Change data flow path March 2009IETF 74 - NSIS

20 PBS Detection Algorithm (PDA) 20 Detection of dropping data packets Receiver R3R1 Sender Data (size=1MB) (Attacker, Drop attack) T Q (1MB) P (change path) Q Q (1MB) P (10MB) Data (size=1MB) Detect attack (1MB Vs 0MB) P (change path) P (10MB) QQQ March 2009IETF 74 - NSIS

Download ppt "March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,"

Similar presentations

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
May 2007 PRESTO (Princeton, NJ) In-network Support for VoIP and Multimedia Applications Henning Schulzrinne Dept. of Computer Science Columbia University.

May 2007 PRESTO (Princeton, NJ) In-network Support for VoIP and Multimedia Applications Henning Schulzrinne Dept. of Computer Science Columbia University.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
NSIS based NetServ Signalling Protocol Design and Implementation Roberto Francescangeli Visiting PhD student.

NSIS based NetServ Signalling Protocol Design and Implementation Roberto Francescangeli Visiting PhD student.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.
1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,

1 Permission-Based Sending (PBS) Signaling Architecture for network traffic authorization Se Gi Hong*, Henning Schulzrinne*, Swen Weiland** *Columbia University,

Similar presentations

Ads by Google