Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication for Fragments Craig Partridge BBN Technologies

Published byIsabel Salisbury Modified over 10 years ago

Similar presentations

Presentation on theme: "Authentication for Fragments Craig Partridge BBN Technologies"— Presentation transcript:

1 Authentication for Fragments Craig Partridge BBN Technologies craig@bbn.com

2 The Problem Router Packet (Fragments) An Intermittent Link Comes Up Which Fragment Do You Send?

3 Why An Issue? New network scenarios with intermittent (potentially) oversubscribed links New network scenarios with intermittent (potentially) oversubscribed links A desire to send the most valuable traffic first A desire to send the most valuable traffic first Large native unit of authentication Large native unit of authentication –Mobigrams –DTN bundles

4 Starting Assumptions Datagram may be (re)fragmented at any point in the data and at any time (including during transmission) Datagram may be (re)fragmented at any point in the data and at any time (including during transmission) Fragments do not all follow the same path Fragments do not all follow the same path

5 Datagram may be (re)fragmented at any point in the data and at any time (including during transmission Nice assumption Nice assumption –Can pre-empt fragments during transmission –Very general Apparently untenable Apparently untenable –Creates unauthenticatable fragments –Creates new style of attack on fragments Bytes 1..j Auth Unit P+1 Bytes k..n Auth Unit P Must fragment on boundaries determined by origin (ugh!) Must fragment on boundaries determined by origin (ugh!)

6 Fragments do not all follow same path Distributed Romanow-Floyd problem Distributed Romanow-Floyd problem –Fragment lost on path 1 means fragments on path 2 now can only do harm, yet path 2 must treat them as valuable Shared keys problematic Shared keys problematic –Every fragmentation point has private key with each origin? –Public key signatures are BIG Either Either –Each fragment is self authenticating (see PK is BIG) –Or we distribute aggregated authentication information down all possible paths (can we make it small enough?)

7 Can We Make Authentication Information Small Enough? An idea: send function definition, not signature An idea: send function definition, not signature –Implies result of function is known –E.g. fragment #5 has digital hash of 5 Such functions exist… Such functions exist… –But either compact in representation OR strong enough to provide digital signature –NOT both (yet!) –Why this is a HOTNETS paper

8 While I Take Questions… This builds on prior work This builds on prior work –Kent/Mogul, Fragmentation Considered Harmful –Romanow/Floyd, Dynamics of TCP Traffic over ATM Networks –Matthis/Heffner/Chandler, Fragmentation Considered Very Harmful –Toilet paper authentication ideas in DTN list

Download ppt "Authentication for Fragments Craig Partridge BBN Technologies"

Similar presentations

By Md Emran Mazumder Ottawa University Student no: 6282845.

By Md Emran Mazumder Ottawa University Student no:
Pathload A measurement tool for end-to-end available bandwidth Manish Jain, Univ-Delaware Constantinos Dovrolis, Univ-Delaware Sigcomm 02.

Pathload A measurement tool for end-to-end available bandwidth Manish Jain, Univ-Delaware Constantinos Dovrolis, Univ-Delaware Sigcomm 02.
NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

NETWORK LAYER (1) T.Najah AlSubaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Principles of Congestion Control Chapter 3.6 Computer Networking: A top-down approach.

Principles of Congestion Control Chapter 3.6 Computer Networking: A top-down approach.
NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.

NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.
1 Observations regarding a new architecture Kevin Fall Intel Research, Berkeley 18-Sep-2006, Cambridge, UK.

1 Observations regarding a new architecture Kevin Fall Intel Research, Berkeley 18-Sep-2006, Cambridge, UK.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Page # Advanced Telecommunications/Information Distribution Research Program (ATIRP) Authentication Scheme for Distributed, Ubiquitous, Real-Time Protocols.

Page # Advanced Telecommunications/Information Distribution Research Program (ATIRP) Authentication Scheme for Distributed, Ubiquitous, Real-Time Protocols.
Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet NETREAD UC Berkeley George Porter Oct 4, 2002.

Statistical Analysis of Malformed Packets and Their Origins in the Modern Internet NETREAD UC Berkeley George Porter Oct 4, 2002.
Networks: Sample Performance Problems 1 Sample Network Performance Problems.

Networks: Sample Performance Problems 1 Sample Network Performance Problems.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
Chapter 12 Network Security.

Chapter 12 Network Security.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
CPSC156a: The Internet Co-Evolution of Technology and Society Lecture 3: September 11, 2003 Internet Basics, continued Acknowledgments: R. Wang and J.

CPSC156a: The Internet Co-Evolution of Technology and Society Lecture 3: September 11, 2003 Internet Basics, continued Acknowledgments: R. Wang and J.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Phalanx: Withstanding (?) Multimillion-Node (?) Botnets Paper by Colin Dixon, Thomas Anderson and Arvind Krishnamurthy NSDI ‘08 ?? by Mark Ison and Gergely.

Phalanx: Withstanding (?) Multimillion-Node (?) Botnets Paper by Colin Dixon, Thomas Anderson and Arvind Krishnamurthy NSDI ‘08 ?? by Mark Ison and Gergely.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

Similar presentations

Ads by Google