130 likes | 234 Views
Holding the Internet Accountable. David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker. IP Layer Names Don’t Have Secure Bindings. There are three kinds of IP layer names: IP address, IP prefix, AS number No secure binding of host to its IP addresses
E N D
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker
IP Layer Names Don’t Have Secure Bindings • There are three kinds of IP layer names: IP address, IP prefix, AS number • No secure binding of host to its IP addresses • No secure binding of AS number to its IP prefixes
Problematic Result: IP Lacks Accountability • Any host can spoof any other host • No intrinsic support in IP to detect or prevent • A network can advertise prefixes arbitrarily • Many misconfigs; some examples of ill intent • S-BGP requires external mechanisms to bind prefix to AS and AS to public key • No intrinsic support in IP to detect or prevent • Accountability: Ability to associate action with entity or hold entity responsible for action • Basis for security in real-world • Foundation for raising level of Internet security
AIP: Accountable Internet Protocol • Goal: Intrinsic support for network-layer accountability in the Internet • Key idea: New addressing (naming) scheme for networks and hosts • Simple protocols that use properties of addressing scheme as foundation • Securing BGP, anti-spoofing, targeted traffic throttling (anti-DoS)
Address = AD1:EID Each host has a global EID [HIP, DOA, LISP] AIP Addressing Autonomous domains,each with unique ID(smaller than an AS) AD2 • AD and EID are self-certifying [SFS] flat names • AD = hash(public_key_of_AD, other_stuff) • Self-certification binds name to named entity AD1 AD3 If multihomed, has multiple addressesAD1:EID,AD2:EID,AD3:EID • AD and EID are self-certifying [SFS] flat names • AD = hash(public_key_of_AD, other_stuff) • Self-certification binds name to named entity
Routers in R, G, B use only AD field to forward: route_lookup(Y) AIP Forwarding and Routing AD G AD B AD R AD Y Source Y:EID Once packet is in AD Y (destination AD), Y’s routers: route_lookup(EID) Inter-AD routing uses AD numbers as routing objects: Y: AD path = [B G R]; B: AD path = [G R]; etc.Note absence of prefixes Intra-AD routing disseminates EIDs (many ways possible)
With AIP Addresses, Accountability is Intrinsic • (Recall) Ability to associate action with entity or hold entity responsible for action • Control-plane accountability improves security of routing protocol (BGP) • Source accountability detects spoofing and forgery • Also helps throttle traffic from “well-intentioned” [Shaw] compromised hosts • Mechanisms borrow ideas from previous work [S-BGP, uRPF], but goals achieved more readily
Control-Plane Accountability (for BGP) • Origin authentication: Ensure routing prefix being originated by AS X actually belongs to X • Path authentication: Ensuring accuracy of AS path • S-BGP and soBGP require external infrastructures • Routing registry recording prefix ownership • PKI (database) mapping AS to its public key • In practice, registries notoriously inaccurate • With AIP: ADs exchange pub keys via BGP messages • Path auth identical to S-BGP (but no PKI) • Origin auth achieved “just like that” (no registry)
Source Accountability: Detecting Spoofing • Property 1: When challenged, only entity with AD A’s private key can prove packet was sent with source address A: • Property 2: When challenged, only entity with EID E’s private key can prove packet was sent with source address :E • Any entity seeing packet can check these two properties using a verification protocol
Accept &forward Y In accept cache? Receive nonce resp N N Local AD? Trust nbhrAD? Verify signature Add A (or E):ifaceto accept cache Y AIP Verification Protocol Receive pktw/ srcA:E Y SLA, uRPF,… N Drop pktSend nonce to A or E Nonce response must be signed w/ A’s (or E’s) priv key
AIP Enables Secure Shut-Off • Problem: Compromised host X sending stream of unwanted traffic to destination D • X is “well-intentioned”, owner benign [Shaw] D X Shut-off packet signed by D to X:{time, D’s pub key, hash of recent pkt recd from X by D, TTL} • Can send shut-offs to hosts or to ADs • Shut-off scheme implemented in NIC firmware • Immutable by host software (updates require physical access via USB/serial port)
Limitations and Concerns • AIP handles spoofing, but what about minting? • Any entity can make up self-certified addresses • Each AD must control #EIDs per host to protect • Any entity can make up routing announcements for non-existent ADs • We’re studying a few approaches to this problem • Key management and compromise? • Each AD has master key pair and current key pair; uses master to issue change • But AD number and all its addresses must change • More concerns in paper: routing scalability wrt state and update volume), traffic engineering, …
Conclusion • Q: How to achieve network-layer accountability in an internetwork? • A: Self-certifying internetwork addresses • AD:EID (AIP) • Each field derived from public keys • Control-plane (routing) and source (anti-spoofing) accountability are now intrinsic • Ideas compose well with other mechanisms for mobility, higher availability, etc.