320 likes | 469 Views
Accountability Internet Protocol (AIP). David G. Andersen (CMU) Hari Balakrishnan (MIT) Nick Feamster (Georgia Tech) Teemu Koponen (ICSI & HIIT) Daekyeong Moon, Scoot Shenker (UCB) In Proc. SIGCOMM, 2008 Speaker: Yun Liaw. Outline. Introduction AIP Design Uses of Accountability
E N D
Accountability Internet Protocol (AIP) David G. Andersen (CMU) Hari Balakrishnan (MIT) Nick Feamster (Georgia Tech) Teemu Koponen (ICSI & HIIT) Daekyeong Moon, Scoot Shenker (UCB) In Proc. SIGCOMM, 2008 Speaker: Yun Liaw
Outline • Introduction • AIP Design • Uses of Accountability • Routing Scalability with AIP • Key management • Traffic Engineering and AD Size • Related Work, Conclusion and Comments Speaker : Yun Liaw
Introduction • Accountability:The fundamental ability to associate an action with the responsible entity • The problematic requirements of past approaches: • Complicated mechanisms • External sources of trust (e.g., CA in S-BGP) • Operator vigilance (e.g., Ingress Filtering) • AIP: A next generation network architecture that provides accountability as first-order property Speaker : Yun Liaw
AIP Design Speaker : Yun Liaw
AIP Design • A simple generalization of Internet’s original two-level hierarchical addressing structure – AD:EID • Accountability Domains (AD): • Independently administered networks, each with a unique identifier • Multiple levels in hierarchy of AD is supported • End-Point Identifier (EID): Host-assigned globally unique identifier • Interface bits (if): The last 8 bits of EID, in order to handle the hosts that attaches multiple times to the same AD • General form of AIP – AD1:AD2:...:ADk:EID Speaker : Yun Liaw
AIP Design • Self Certifying: The name of an object is the public key that corresponds to that object • Accountability needs verifiable identity • We use cryptographic signatures for verification • The identifier should be bound to their public key • Security should not rely on manual configuration or trusted authorities • AD: The hash of the public key of the domain • EID: The hash of the public key of that corresponding host Speaker : Yun Liaw
Forwarding and Routing Speaker : Yun Liaw
Uses of Accountability Speaker : Yun Liaw
Source Accountability: Detecting & Preventing Source Spoofing • uRPF (Unicast Reverse Path Forwarding): An automatic filtering mechanism that accepts packets only if the route to the packet’s source points to the same interface on which the packet arrived Speaker : Yun Liaw
Source Accountability: EID verification Speaker : Yun Liaw
Source Accountability: AD verification - Scalability • Accept cache management: If the number of entries for single AD exceeds the threshold, upgrade to an single-AD wildcard AD:* • Division of filtering responsibility: • Border routers: Verify the source of customer whose return path does not go directly to the customer • Interior routers: Need not perform further actions • Peering routers: Large peers, will likely to trust the peer’s verification based on a bilateral contractual agreement Speaker : Yun Liaw
“Protect those who protect themselves” Source Accountability: AD verification • Limiting Address Minting • EID limiting: Place EIDs/second limit on each port • AD limiting: Limit the number of ADs that a customer could announce Speaker : Yun Liaw
Source Accountability: Shut-off Protocol • Smart-NIC (Smart Network Interface Card) • Check the hash • If hash matches, suppressing the traffic for the duration of TTL Speaker : Yun Liaw
Source Accountability: Securing BGP • AIP simplifies the task of deploying mechanisms, since IP lacks a firm binding between public keys, ASes, and prefixes • Operators configure a BGP peering session, and the session is automatically aware of the public keys by identifying the peer AD • BGP routers sign the routing announcements, and routers that receiving a update should verify before applying it • Each router must be able to find the public key that corresponds to that AD Speaker : Yun Liaw
Routing Scalability with AIP Speaker : Yun Liaw
Routing Growth Estimation • Diameter of the Internet / AS path length: shrinking • Routing table size: • BGP update volume: • By 2020, when a BGP session resets, the routers will have to exchange ≥ 1.6 millions prefixes with each peer, ideally in a few seconds Speaker : Yun Liaw
Routing Table Size Speaker : Yun Liaw
Effects of Moving to AIP • FIB (Forwarding Information Base) lookups become flat • The prefix size (32 bits) and ASes (16 bits) will increase to 160 bits (hash of public key) • Router will need to store a copy of each AD’s public key • CPU costs for cryptographic operations (similar to S-BGP) • The Internet diameter may keep unchanged Speaker : Yun Liaw
Resource Requirements • Semiconductor Growth Trends: Moore’s Law • RIB & FIB storage (RAM): Speaker : Yun Liaw
Resource Requirements • Update processing (CPU): Routing table would grow by a factor of between 5 and 9 by 2020, and the Moore’s Law expects that CPU is grow by a factor of 16 • Cryptographic overhead: • By 2020, a commodity CPU should be able to verify 480K and create 13K signatures per second • Verifying one signature for each route announcement from each of 20 peers would requires seconds • In summary, technology trends suggest that routing scalability with respect to memory, CPU and so on are all manageable Speaker : Yun Liaw
Key Management Speaker : Yun Liaw
Key Discovery • The key is obtained automatically once the address is known • Address can be obtained by any kind of lookup service: manually, S-DNS, etc. • Assume that peering ADs can identify each other out-of-band Speaker : Yun Liaw
Key Registries • Maintain a public registry for each AD and the ADs to which each EID is bound • Assumption: • The existence of global registries where principals can registercryptographically signed assertions • The existence of per-domain registries that can be housed by the ISP itself • Advantages: • No need for any central authority. The registry verifies the signature before storing data • The registry can be populated by the entities involved, with no need for human intervention or involvement Speaker : Yun Liaw
Key Registries • Class of Assertions in the registries: • Keys: • Revoked keys: • Peerings: • ADs of EID X: • First hop router of X: Speaker : Yun Liaw
Key Registries • Maintaining the domains registry – by AD • Forcing domain to sign A:X entries before the DNS server and resolvers will accept them as the result of a DNS resolution • Using the registries: • For hosts: Check the global registry for which domain are hosting it, and check the domain-specific registry for first-hop routers are hosting it • For domains: Checks the global registry to see which domains claim to be peering with it Speaker : Yun Liaw
Traffic Engineering and AD Size Speaker : Yun Liaw
Traffic Engineering • Goal: To map an offered load on to a set of available paths • ADs cannot be split into sub-prefixes for finer control over routing • AD Granularity • AD: A group of nodes that meets these two criteria– • They are administered together • They would fail together under common network failures • AD granularity corresponds roughly to the way in which connectivity to the network changes Speaker : Yun Liaw
Traffic Engineering • Splitting ADs for TE • ISPs could creating an AD from each prefix in the wide-area BGP routing tables • One can use interface bits in order to sub-divide an AD • DNS-based load balancing • Server-centric view: How to load balance traffic destined for a particular service across machines in a cluster or across data centers • AIP’s interface bits might simplify the load-balancing by representing a service as a single “host” multiple times Speaker : Yun Liaw
Related Work, Conclusion and Comments Speaker : Yun Liaw
Related Work & Conclusion • Related Work • Self-certifying names (CGA, HIP) • Separating identifiers and locators (GSE/8+8) • Scalability • Source accountability (packet filtering, Passport) • Control-plane accountability (S-BGP, soBGP) • Conclusion • Using a simple hierarchical addressing scheme with self-certifying components to enable accountability, to solve source spoofing, DoS traffic, and S-BGP Speaker : Yun Liaw
Comments • Some assumptions seems not feasible today (e.g., global key registry) • Who should hold the accountability? • The Next-Generation network architecture would always face the problem that how to make people adopt it • Do we really need accountability as the first-order property in Internet? Speaker : Yun Liaw