Presentation is loading. Please wait.

Presentation is loading. Please wait.

Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego.

Published byOlivia Fagan Modified over 10 years ago

Similar presentations

Presentation on theme: "Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego."— Presentation transcript:

1 Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego

2 Historical context I I n the beginning... it was amazing the net worked at all. Everyone was a good actor.

3 Existing Internet design Focused on universal connectivity IP address Identifiers purely for the purpose of connectivity Dst address for routing, Src to identify destination for replies Strictly voluntary Actively trying to introduce homogeneous substrate Unbound usage model Security not a significant consideration in the network layer; trust everyone equally Cryptography expensive relative to transport Cryptographic abstractions limited True when IPSec designed also

4 What has changed? Many users/providers dont want homogeneity Most src addresses today are NATed We want to limit who can talk to whom Huge growth in criminal activity 10s of millions of compromised machines Sophisticated abuse of network layer

5 Problems Network architecture provides how Security questions are mainly about who and what Ad hoc, brittle mappings between two Firewalls (address, port) Ingress/egress filtering DDoS filtering (ttl hack, blackholing, etc) Key issue Cant count on src address being correct or global Even if it is correct only represents existence of endpoint

6 Worth rethinking… How might we design packet identifiers to provide useful attribution? Attribution – working definition: The act of linking identity with action Uses Authentication: who wants to do that? Access control Situational awareness: who is doing that now? Operational response (e.g. filtering DDoS, BotNet C&C) Forensics: who did that in the past? Investigatory, evidentiary

7 Design options Meaning of identifier Network attribute IP address: topological endpoint Path: topological route (StackPI) Physical attribute Location: place packet sent from (used today in payment sys) Originator: machine packet sent from User attribute Capability: right to access something Principal: evidence of individual Scope of identifier (local, global, in-between) Who can interpret (anyone, trusted party, hybrid)

8 New opportunity Crypto has advanced significantly Many operations are comparatively cheap now 10s of microseconds Line-rate hardware implementations feasible Completely new kinds of cryptography Groups, aggregates, append-only, IBE, Attribute- based crypto, homomorphic crypto, broadcast systems, etc Its not just encrypt, hash and sign anymore… New tools provide new design opportunities

9 Remaining agenda Revisiting the Cryptographic toolbox (Boneh) Local identifiers for access control (Casado) Global identifiers for forensics (Savage)

10 Attribution To whom

11

12

Download ppt "Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego."

Similar presentations

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.
Privacy-Preserving Attribution and Provenance UC San Diego & University of Washington Alex C. Snoeren & Yoshi Kohno, PIs Stefan Savage, Amin Vahdat, Geoff.

Privacy-Preserving Attribution and Provenance UC San Diego & University of Washington Alex C. Snoeren & Yoshi Kohno, PIs Stefan Savage, Amin Vahdat, Geoff.
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.

Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.

Issues of Security and Privacy in Networking in the CBA Karen Sollins Laboratory for Computer Science July 17, 2002.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Introduction to ISA 2004 Dana Epp Microsoft Security MVP.

Introduction to ISA 2004 Dana Epp Microsoft Security MVP.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
1 Steve Chenoweth Tuesday, 10/18/11 Week 7, Day 2 Right – One view of the layers of ingredients to an enterprise security program. From www.451group.com/security/451_security.php.www.451group.com/security/451_security.php.

1 Steve Chenoweth Tuesday, 10/18/11 Week 7, Day 2 Right – One view of the layers of ingredients to an enterprise security program. From
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Secure Routing in Ad Hoc Wireless Networks 11.03.2005.

Secure Routing in Ad Hoc Wireless Networks
Slides of the course was made by TAs of this and previous semesters 1 Internet Networking Spring 2002 Tutorial 1 Subnets, Proxy ARP.

Slides of the course was made by TAs of this and previous semesters 1 Internet Networking Spring 2002 Tutorial 1 Subnets, Proxy ARP.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.

Similar presentations

Ads by Google