Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

Internetworking II: MPLS, Security, and Traffic Engineering
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_b Subnetting,Supernetting, CIDR IPv6 Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
PRIVATE NETWORK INTERCONNECTION (NAT AND VPN) & IPv6
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IPv6 Victor T. Norman.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IPv4 - The Internet Protocol Version 4
IP datagrams Service paradigm, IP datagrams, routing, encapsulation, fragmentation and reassembly.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Ch. 1 – Scaling IP Addresses NAT/PAT and DHCP CCNA 4 version 3.0 Rick Graziani Cabrillo College.
Network Layer introduction 4.2 virtual circuit and datagram networks 4.3 what’s inside a router 4.4 IP: Internet Protocol  datagram format  IPv4.
Network Layer Packet Forwarding IS250 Spring 2010
Chapter 5 The Network Layer.
EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Subnetting.
Network Layer4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side,
IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.
1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.
Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.
1 Internet Protocol. 2 Connectionless Network Layers Destination, source, hop count Maybe other stuff –fragmentation –options (e.g., source routing) –error.
Transport Layer 3-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012  CPSC.
1 Chapter 4: Network Layer r 4.4 IP: Internet Protocol m Datagram format m IPv4 addressing m ICMP m IPv6 r 4.5 Routing algorithms m Hierarchical routing.
7-1 Last time □ Wireless link-layer ♦ Introduction Wireless hosts, base stations, wireless links ♦ Characteristics of wireless links Signal strength, interference,
The Saigon CTT Semester 1 CHAPTER 10 Le Chi Trung.
Chapter 4, slide: 1 Chapter 4: Network Layer r Introduction r IP: Internet Protocol  IPv4 addressing  NAT  IPv6 r Routing algorithms  Link state 
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Review the key networking concepts –TCP/IP reference model –Ethernet –Switched Ethernet –IP, ARP –TCP –DNS.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
Internetworking Internet: A network among networks, or a network of networks Allows accommodation of multiple network technologies Universal Service Routers.
1 Network Layer Lecture 15 Imran Ahmed University of Management & Technology.
1 Network Layer Lecture 16 Imran Ahmed University of Management & Technology.
Layer 3: Internet Protocol.  Content IP Address within the IP Header. IP Address Classes. Subnetting and Creating a Subnet. Network Layer and Path Determination.
Network Layer4-1 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection RIP, OSPF, BGP IP protocol.
Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Network Layer4-1 Datagram networks r no call setup at network layer r routers: no state about end-to-end connections m no network-level concept of “connection”
Network Layer by peterl. forwarding table routing protocols path selection RIP, OSPF, BGP IP protocol addressing conventions datagram format packet handling.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
The Internet Network layer
Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.
Network Layer by peterl. forwarding table routing protocols path selection RIP, OSPF, BGP IP protocol addressing conventions datagram format packet handling.
1 COMP 431 Internet Services & Protocols The IP Internet Protocol Jasleen Kaur April 21, 2016.
CSE 421 Computer Networks. Network Layer 4-2 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside.
Graciela Perera Department of Computer Science and Information Systems Slide 1 of 18 INTRODUCTION NETWORKING CONCEPTS AND ADMINISTRATION CSIS 3723 Graciela.
Introduction to Networks
Internet Protocol Version 6 Specifications
Instructor Materials Chapter 9: NAT for IPv4
Routing and Switching Essentials v6.0
* Essential Network Security Book Slides.
EEC-484/584 Computer Networks
Instructor Materials Chapter 9: NAT for IPv4
EEC-484/584 Computer Networks
Wide Area Networks and Internet CT1403
Overview The Internet (IP) Protocol Datagram format IP fragmentation
Chapter 4 Network Layer Computer Networking: A Top Down Approach 5th edition. Jim Kurose, Keith Ross Addison-Wesley, April Network Layer.
IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )
16EC Computer networks unit II Mr.M.Jagadesh
DHCP: Dynamic Host Configuration Protocol
Computer Networks Protocols
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson

Overview  Background and theory  Implementation  Applications  Related works

Brief Review of LSRR Loose Source Record Routing (LSRR) is an option in IP.  The sender specifies a list of IP addresses that the datagram must traverse.  The route is “loose”: the datagram can pass through other routers between any two addresses on the list.

LSRR Continued SR1R2R3D dest=R1 {#R2, R3, D} dest=R2 {R1, #R3, D} dest=R3 {R1, R2, #D} dest=D {R1, R2, R3#} dest=D {#R1, R2, R3} code len ptr IP addr #1 IP addr #2 IP addr # bytes 4 bytes 4 bytes 39 bytes General Format of the IP Source Route Option Example of IP Source Routing

WRAP: Wide-Area Relay Addressing Protocol WRAP runs on top of IP and uses loose-source routing, but implements it differently from IP’s LSRR. WRAP and LSRR are…  Similar: A WRAP packet includes a forward path and a reverse path. Every time a relay on the forward path is traversed, it is moved to the reverse path.  Different: The WRAP header (including the forward and reverse paths) is included as the beginning of the IP payload. The source and destination in the IP header are the next and previous “hops” taken by the packet.

WRAP Advantages Over LSRR  Relaying of WRAP packets is easier to implement in hardware.  Filtering of WRAP packets can be done with conventional wire-speed filters (similar to TCP/UDP-level filters).  LSRR relaying or filtering requires processing the variable-length IP options field, typically requiring the CPU.

Transmit Policies  WRAP enables a node to specify a transmit policy for each packet.  An edge system can compute multiple paths to a destination, monitor them, and choose between them based on QoS needs.  An access router that connects an edge network to the Internet computes paths and choices, or…  The end user (PC application, person) can specify outgoing traffic paths.  Either way, the Internet core becomes purely a forwarding engine.

Receive Policies  WRAP enables a node to specify a receive policy for each packet (accept, block, rate-limit) according to its end-to-end path.  A victim of a DDoS attack can ask routers close to the attack sources to block “bad” traffic from them.  This is implemented with Active Internet Traffic Filtering (AITF), which verifies requests are real: node M cannot disrupt traffic between A and B unless M is on the path between them.

Alternatives to LSRR/WRAP Transmit policies with labels: edge system tags each packet with a policy label that indicates how it should be routed.  Good: less burdensome on edge systems  Bad: each ISP knows only its own internal performance Receive policies via hop-by-hop traceback: requests to rate-limit traffic propagate hop-by-hop upstream.  Good: again, less burdensome  Bad: core routers become a filtering bottleneck

protocol – The higher layer protocol (UDP, TCP etc.). length – The number of 32-bit addresses the reverse and forward paths foffset – The offset into the list of addresses where forward path field starts reverse path – List of 32-bit addresses corresponding to the end-point and relays already traversed forward path – List of 32-bit addresses corresponding to the relays and end-point still ahead data – Contains the higher level (protocol format) packet protocollengthfoffsetreserved reverse path forward path data

RELAYING AB SD IP Src: S IP Dst: A Fpath: [B,D] Rpath: [ ] IP Src: A IP Dst: B Fpath: [D] Rpath: [S] IP Src: B IP Dst: D Fpath: [ ] Rpath: [S,A]

WRAP: IMPLEMENTATION Name-To-Path Resolution  Wrap requires modification of current DNS  Current – DNS maps names to IP addresses  Modified – DNS maps names to domain-level paths  How?  Each realm gets internal & external DNS server  Internal responds to requests originating inside the realm. Provides mappings from domain names to WRAP paths  External responds to requests originating outside the realm. Provides mappings from domain names to a tuple { global prefix, IP }  Forward Reference (Incremental Deployment)  State for WRAPID gateways can be instantiated during name resolution

WRAP: IMPLEMENTATION Name-To-Path Resolution AB SD S: DNS Name Lookup (D) A: propagates request to B B: { prefix = P, IP = D } A: path = [A,B,D]

DESIRABLE PROPERTIES: Limited Path Spoofing  WRAP limits the effectiveness of spoofing by it’s design.  Property A: Just as a destination addr. must be correct for delivery in IP, the forward path must be correct for delivery in WRAP.  A malicious node may still spoof some other node by placing that node’s address in the reverse path.  However, because of property A, the malicious node’s gateway will necessarily appear in the reverse path.

DESIRABLE PROPERTIES: Limited Path Spoofing A B C V MD IP Src: A IP Dst: B Fpath: [C,D] Rpath: [V] IP Src: B IP Dst: C Fpath: [D] Rpath: [V,A] IP Src: C IP Dst: D Fpath: [ ] Rpath:[ V,A,B]

DESIRABLE PROPERTIES: Low Packet Overhead  WRAP chooses to explicitly include variable length lists of IP addresses in it’s headers.  Seems as though it might introduce much larger headers than a scheme like NIRA, but how bad is it in practice?  Mangoni and Pansiot [14], find that AS path distance appears to have a Gaussian distribution with a mean m, with 3 < m < 4  75% of AS pairs have a path length < 4, and 95% of AS pairs have a path length < 6.  WRAP authors make the conservative assumption that each AS may be a collection of networks behind a NAT. This shifts the distribution average by 2.  Still, 75% of WRAP headers would have a path length < 6 and 95% of WRAP headers would have a path length < 8  Also Mangoni and Pansiot found the “empirical law”:  The average distance, diameter and radius of the inter-domain graph of AS networks stays constant  This “law” holds despite the fact that the # of ASs grew by 40% during the duration of their study

 Make IP addresses become routing tags and have NO end-to-end significance AB S D D [S, B, D] [S, A, D] DESIRABLE PROPERTIES: Address Space

 Unlike NIRA and other schemes, globally unique addresses are not required:  IP addresses must only be unique within a realm.  4 billion addresses per realm.  Relay addresses specify not just a specific router, but a pair { router, outgoing realm }. This is an artifact of a router’s non-uniqueness in the global address space.

Similarity to IPNL  IPNL is an NAT-extended architecture  An address has 10 bytes, consists of  Global IPv4 address  Realm number  Local IPv4 address  Packets must be routed to global address first, then to the realm, and local address.

WRAPID Gateways  Deploying WRAP is similar to placing every administrative domain behind NAT  can be incremental  must upgrade routers to WRAP capable  hosts can be upgraded or not  can support non-WRAP hosts by WRAPID gateways (WRAP to IP Domain)  WRAPID gateways can implement IP  WRAP and WRAP  IP translating functionality.

WRAPID Gateways AB WRAPID gateway IP Src: S IP Dst: X S D IP Src: Y IP Dst: D IP Src: A IP Dst: B Fpath: [D] Rpath: [S] Problems?

Applications  Virtual Private Network  Different sites are connected by WRAP relay nodes  Policy-based routing  Extended forwarding path check  The source can be verified up to the trusted relay node.  Multicast  WRAPsec

Related works  TRIAD (Translating Relaying Internet Architecture integrating Active Directories)  RouteScience  RON  NIRA (Tuesday)  IPNL and IPv4+4  “shim protocol”  router upgrade  routing information in header

Q & A