310 likes | 467 Views
Policy Enforcing for Probe Based Admission Control. Master of Science Thesis. Marcello Conte. Royal Institute of Technology (KTH), Dept. Of Teleinformatics (IT) Stockholm, Sweden Politecnico di Torino, Dept. Of Computer and Control Engineering Turin, Italy.
E N D
Policy Enforcing for Probe Based Admission Control Master of Science Thesis Marcello Conte
Royal Institute of Technology (KTH), Dept. Of Teleinformatics (IT)Stockholm, SwedenPolitecnico di Torino, Dept. Of Computer and Control Engineering Turin, Italy • Technical Advisor: Ignacio Más Ivars • Supervisor at KTH/IT Viktória Fodor • Supervisor at Politecnico di Torino Antonio Lioy Policy Enforcing for Probe Based Admission Control
Content • Background • Probe Based Admission Control (PBAC) • Testbed Architecture • Policy Enforcing Protocol • Performance Evaluation • Conclusion & Future Work Policy Enforcing for Probe Based Admission Control
Background • Predictable QoS guarantees for Real Time services • Integrate and support multimedia applications: • VoIP, video/audio streaming etc. • Best-Effort service unsatisfactory • IETF set up working groups: • IntServ RFC 1633 • DiffServ RFC 2475 Policy Enforcing for Probe Based Admission Control
Measurement Based Admission Control (MBAC) • Solve scalability problems • Combine IntServ and DiffServ architecture • Access control at the edge nodes: • Probes the network to experience the congestion level • Performs measurement on: • Packet loss percentage, packet delay • Accept/reject incoming session Policy Enforcing for Probe Based Admission Control
Probe Based Admission Control (PBAC) • Provides a Controlled Load Service (CLS) • Upper bound on packet loss, low delay • Probe packets include: • Peak bit rate, time duration, session identifier • Router support: • Distinguish probe and data packets • Serve packets with priority • Trust between network and end-users Policy Enforcing for Probe Based Admission Control
PBAC requirements • Sender does not transmit data: • At a higher bitrate than the one agreed • If rejected by the receiver • Receiver: • Take a reliable admission decision • Protection of the probing flow Policy Enforcing for Probe Based Admission Control
Testbed architecture • Hardware: • Celeron 800MHz, RAM 128 MBytes Xmms Internet FFserver Policy Enforcing for Probe Based Admission Control
Testbed architecture Xmms FFserver CLS provider CLS provider Internet AG AG Policy Enforcing for Probe Based Admission Control
User’s misbehavior Intruder attack Security issue Xmms FFserver Internet AG AG Policy Enforcing for Probe Based Admission Control
Policy enforcing protocol • Collection of cryptographic mechanisms • Assist the probe phase of the PBAC • Functions: • Monitors PBAC users behavior • Protects the probe phase from intruder attacks • AG support at the border of the network Policy Enforcing for Probe Based Admission Control
Cryptographic mechanisms • Entity authentication • Signature scheme, Certificate extension • Message integrity check • SHA-1, MD5, MAC, etc. • Key exchange • Diffie-Hellman, Needham-Schroeder, etc. • Message Encryption • RC4, DES, RSA, IDEA, etc. Policy Enforcing for Probe Based Admission Control
Monitor user’s behaviour Checking the CLS API used Protect the probing flow Encrypting the link Code authentication Secure tunnel Solution Policy Enforcing for Probe Based Admission Control
Code authentication (CA) • Forces the end-users to follow the steps of PBAC • Makes sure AGs about the CLS API authenticity • Requires end-users to show an authentication key Policy Enforcing for Probe Based Admission Control
Key Digest Code authentication (CA) • AG generates a key • End-user: • Computes MAC on the CLS API • Sends back the digest • AG: • Checks the validity of the digest • Accept/reject end-user End-user AG Policy Enforcing for Probe Based Admission Control
AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control
VA,sSA(IPA,IPB) VB,sSB(IPB,IPA) RSA signature • AGs authentication • AGA sends a public verification key VA and a signed message with both the IP address of the AG • AGB verifies AGA AGB AGA • AGB sends a public verification key VB and a signed message with both the IP address of the AG • AGA verifies AGB Policy Enforcing for Probe Based Admission Control
AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control
p, g, ga sSA(ga,gb) gb,sSB(gb,ga) Key exchange protocol • AGA generates a prime random number p and a random exponent g • AGA picks a random number a and sends the parameters and the public key ga • AGB picks a random number b and sends the public key gb and a signed message with both the public keys AGB AGA • AGA sends a signed message with both the public keys as acknowledgment • Both AGA and AGB compute the shared key K = gab Policy Enforcing for Probe Based Admission Control
AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control
eK(probe packets) eK(Admission packet) Message encryption • Using fast algorithm to lower the delay of the encryption/decryption • RC4 • To cover: • The content of the probe packet AGB AGA • The admission decision Policy Enforcing for Probe Based Admission Control
Connection shutdown • If a security check fails: • The AGs do not forward packets between the end-users • The AGs close the sockets to the end-users • User forced to repeat the procedure • Otherwise: • The probe phase begins Policy Enforcing for Probe Based Admission Control
CA evaluation • Test performed varying the size of the key • Digest computed on the CLS API of 1 Mbytes • Average value of 53 msecs • The size of the key does not affect the delay in computing the digest Policy Enforcing for Probe Based Admission Control
RSA evaluation • Test performed varying the size of the public and private keys • Complexity in generating the public/private keys • Delay introduced by the sign/verify functions • Delay increases with the size of the keys Policy Enforcing for Probe Based Admission Control
KEP evaluation First test • The RSA signature scheme affects the KEP • Shared key size fixed to: • 16 bytes • Varying the size of the RSA keys • Delay: • introduced by the RSA sign/verify functions • Increases linearly Policy Enforcing for Probe Based Admission Control
KEP evaluation Second test • Fixed size of the RSA keys • Varying the size of the shared key • Exponential trend due: • Complexity in generating shared parameters (p,g) • Delay for computing the shared key • The security level increases the delay Policy Enforcing for Probe Based Admission Control
Policy enforcing setup delay • Evaluation of the delay that the protocol introduces • Delay increases with the security level • Trade off between the security level and the delay • Suggest set of parameters: • CA 1024 bytes • RSA 128 bytes • KEP 32 bytes 2937 msecs • Delay introduced: • CA 52 msecs • RSA 1799 msecs • KEP 1086 msecs Policy Enforcing for Probe Based Admission Control
Policy enforcing setup delay • Probe duration time in the worse case: 5 secs • Policy enforcing protocol delay: 2937 msecs • Delay for the service provision: ~ 8 secs • Medium security level • Delay comparable to the probe duration time • Reliable upper bound on the service provision Policy Enforcing for Probe Based Admission Control
Conclusion • Simple and fast and flexible security solution • The scheme offers: • Assurance about end-user’s identity • Protection of the probing flow from intruder attack • Testbed implemented: • Does not require any change within the network topology • Requires a cryptographic interface to run on the AGs • End-user’s applications to support the code authentication feature Policy Enforcing for Probe Based Admission Control
Future work • Add certificate extensions (X.509) for authentication • Strengthen the KEP with timestamp and encryption of message exchanged. • Test the scheme using other encryption algorithm (DES, IDEA, etc.) • Test the protocol using different hardware for the simulation • Test the protocol simulating multiple simulaneous connection to AGs Policy Enforcing for Probe Based Admission Control