Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Published byNicholas Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network."— Presentation transcript:

1 Research on IP Anycast Secure Group Management Wang Yue wy@net.cs.pku.edu.cnwy@net.cs.pku.edu.cn Network & Distribution Lab, Peking University Network Research Workshop 2003 16 th APAN Meetings

2 2 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

3 3 Review of IP Anycast An IP service defined in RFC1546 for IPv4, and in RFC2373 for IPv6. Like Multicast, an IP anycast address is assigned to a set of network interfaces. But, a packet for an anycast address is forwarded to the “topologically nearest” interface with this address.

4 4 Review of IP Anycast (continue) Anycast Group A is identified by its anycast address; Each member can also has an unicast address to identify itself.

5 5 Review of IP Anycast (continue) Address modification for stateful service dst = a1 Client ---------------------  Anycast Server src = u1 ( anycast address : a1  --------------------- unicast address : u1 ) dst = u1 ---------------------  … …

6 6 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

7 7 Anycast Security Requirements Everyone can announce to the routing system or clients that it was the member of a certain group. Therefore, Anycast is vulnerable to attacks such as Masquerading, DOS, etc. “Security Requirements of IPv6 Anycast ” (internet draft) Unauthenticated anycast server announcements Source address modification by an anycast server Secure communication between anycast clients and servers

8 8 Secure Channel for Anycast We need secure channels between anycast members and the routing system as well as clients. Certificate-based secure protocols are good for the purpose. ( red lines denote secure channels )

9 9 Authorization Scheme IPv6 Anycast address format Network prefix defines a topological scope where all members reside in Global IP Anycast (GIA): prefix is null prefix Regional IP Anycast (RIA): prefix is not null AS-inner RIA : prefix insides an AS AS-outer RIA : prefix does not inside any AS

10 10 Authorization Scheme (continue) Three separate authorizations needed Assigning an anycast address, e.g. by IANA Entitling group membership to an interface, e.g. by the group owner Admission control for an group member residing in a certain network region or AS, e.g. by the AS

11 11 Authorization Scheme (continue) Authorization Hierarchy for GIA and AS-outer RIA address ( each color denotes a certificate chain )

12 12 Authorization Scheme (continue) Authorization Hierarchy for AS-inner RIA address ( considering an anycast address prefix covers a network inside the AS )

13 13 Configuration Group Discoverers need configure IANA or local addresses assigning authorities’ public key, and the public key for admission control certificate. Clients need only configure IANA’s public key. Truncation of certificate chains can be used to reduce cost, after the first try.

14 14 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

15 15 Host-based Anycast using MLD This internet draft proposes to discover anycast members the same way as Multicast Listener Discovery (MLD) protocol. Host sends Report or Leave to the adjacent router (i.e. Group Discoverer) when joining or leaving a group. Group Discoverers periodically send Query to learn status of adjacent members.

16 16 Anycast Group Characteristics Semantically, each anycast group provides a service. Normally, the frequency for members advertising to Group Discoverers their joining or leaving a group is low. Members should report their status more frequently. The processing delay for joining is not required strictly, as other members can provide the same service. The processing delay for leaving should be as low as possible. Locations of anycast members can be rather limited and stable, so we unnecessarily deploy one group discoverer in each access border of the routing system. It is both economical and secure in this way.

17 17 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

18 18 Secure Anycast Listener Discovery The Scenario Secure channel between anycast member and Group Discoverer is built during the join phase on IPSec by authenticating the mentioned certificates.

19 19 S-ALD Features Members report actively, not driven by a query Network burst largely reduced Members and Group Discoverers may not be on the same link Group Discoverers should record status of registered members For secure sessions’s sake Other information, e.g. members’s load may be useful for anycast route choice Considering Anycast group characteristics, S-ALD is secure, totally low overhead and manageable

20 20 Our contributions Authorization Scheme for Secure Anycast Anycast Group Characteristics The Resulting S-ALD protocol

21 21 Prospect IP Anycast is useful for service discovery, automatic configuration, load balance, etc. But, concerning security, IPv6 restricts that anycast addresses must NOT assigned to hosts, “ until more experience has been gained and solutions agreed upon”. With Anycast Secure Group Management, we can break this restriction.

22 22 The End

23 23 Question ?

Download ppt "Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network."

Similar presentations

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
Chapter 6-7 IPv6 Addressing. IPv6 IP version 6 (IPv6) is the proposed solution for expanding the possible number of users on the Internet. IPv6 is also.

Chapter 6-7 IPv6 Addressing. IPv6 IP version 6 (IPv6) is the proposed solution for expanding the possible number of users on the Internet. IPv6 is also.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
CS440 Computer Networks 1 IPv6 Neil Tang 11/10/2008.

CS440 Computer Networks 1 IPv6 Neil Tang 11/10/2008.
,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.

,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.
Limited address space The most visible and urgent problem with using IPv4 on the modern Internet is the rapid depletion of public addresses. Due to the.

Limited address space The most visible and urgent problem with using IPv4 on the modern Internet is the rapid depletion of public addresses. Due to the.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
IPv6 Network Security.

IPv6 Network Security.
Understanding IPv6 Slide: 1 Lesson 1 Introduction to IPv6.

Understanding IPv6 Slide: 1 Lesson 1 Introduction to IPv6.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD
COS 420 Day 15. Agenda Assignment 3 Due Assignment 4 Posted Chap 16-20 Due April 6 Individual Project Presentations Due IEPREP - Jeff MANETS - Donnie.

COS 420 Day 15. Agenda Assignment 3 Due Assignment 4 Posted Chap Due April 6 Individual Project Presentations Due IEPREP - Jeff MANETS - Donnie.
School of Information Technologies Internet Multicasting NETS3303/3603 Week 10.

School of Information Technologies Internet Multicasting NETS3303/3603 Week 10.
COS 420 Day 18. Agenda Group Project Discussion Program Requirements Rejected Resubmit by Friday Noon Protocol Definition Due April 12 Assignment 3 Due.

COS 420 Day 18. Agenda Group Project Discussion Program Requirements Rejected Resubmit by Friday Noon Protocol Definition Due April 12 Assignment 3 Due.
IP Version 6 Addressing Architecture RFC 2373 Presented by Vickie Brown.

IP Version 6 Addressing Architecture RFC 2373 Presented by Vickie Brown.

Similar presentations

Ads by Google