1 / 15

Security in Differentiated Services Networks

Security in Differentiated Services Networks. Venkatesh Prabhakar Srinivas R. Avasarala Sonia Fahmy. Terminology - I. Per-Hop-Behaviour (PHB): The forwarding behaviour experienced by a traffic flow in a DS domain.

mahlah
Download Presentation

Security in Differentiated Services Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security inDifferentiated Services Networks Venkatesh Prabhakar Srinivas R. Avasarala Sonia Fahmy http://www.cs.purdue.edu/homes/fahmy/cerias

  2. Terminology - I • Per-Hop-Behaviour (PHB): The forwarding behaviour experienced by a traffic flow in a DS domain. • Differentiated Services Code Point (DSCP): A specific field in the IP header used to select a PHB. • Service Level Agreement (SLA): A service contract between a customer and a service-provider that specifies the forwarding service a customer would receive.

  3. Terminology - II • Assured Forwarding (AF): A PHB group that provides different levels of forwarding assurances by using different traffic classes, each with multiple drop precedences. • Expedited Forwarding (EF): A PHB that provides low loss, low latency, low jitter, guaranteed bandwidth service. • Multi-Field (MF) Classifier: A classifier that selects packets based on a combination of fields in the IP header. • Behaviour Aggregate (BA) Classifier: A classifier that selects packets based on the DSCP field in the IP header.

  4. Terminology - III • Meter: A device that measures the traffic rates of flows. • Marker: A device that marks the DSCP field in the IP packet header with values based on SLAs. • Shaper: A device that delays packets in a traffic stream to cause it to conform to a defined traffic profile. • Dropper: A device that drops out-of-profile traffic from a traffic stream.

  5. DiffServArchitecture Boundary Router DS Domain Customer A Customer B Edge Router (Ingress/Egress) Customer Egress Core Router Customer Host

  6. DiffServ Code Point (DSCP) Unused 2 bit DSCP 6bit Ver IHL TOS Total Length Identification Flag Offset TTL Protocol Header Cksum Source Address Destination Address IP Options

  7. Ingress Router Functionality Meter MF Classifier Marker Shaper/ Dropper

  8. Core Router Functionality FIFO EF Packet Scheduler BA Classifier AF RED 4 queues 3 precedences/queue BE FIFO

  9. Attacks on the DS framework I • Network provisioning attacks: Automatic signalling protocols like RSVP or SNMP are used to configure DS nodes from policy distribution points (bandwidth brokers). This process can be attacked by injecting bogus configuration messages, modifying real messages, delaying or dropping them. • Solution: Employ encryption of configuration message exchanges of these signalling protocols.

  10. Attacks on the DS Framework II • Data Forwarding process:Traffic can be injected into the network either to steal bandwidth or cause QoS degradation by causing other customer flows to experience longer delays and higher loss rates. • Solution:We need intrusion detection and response systems to protect QoS in such cases. We propose a distributed monitoring approach with measurement of traffic characteristics like delays and loss rates at all the DS nodes. A network mgmt. station (NMS) collects all the measurements and analyses them to detect violations.

  11. Delay Measurements NMS At Ingress, for every IP packet with probability p, At Egress, use current time – probe timestamp to measure delay and report to NMS in a control packet introduce a new probe packet with current timestamp IPPacket ProbePacket Control Packet Edge Router

  12. Loss Measurements At the NMS, average the reported loss rates and compare against SLA At the core routers, measure loss rate for all flows and classes. When loss rate of a class exceeds its threshold inform loss rate of the flow to NMS. Edge Router NMS Core Router

  13. Processing at Core Router For every IP packet no EF EF/AF Drop ? AF yes Update flow loss rate f_rate Inform NMS Periodically, with time period t, send the loss rates of all flows with loss rates within a fraction k of the flow with the highest loss rate.

  14. Processing at NMS For each message AF Core Core/Edge EF/AF Edge EF Update loss rate for the flow’s SLA at the core router sending this msg. Compute delay as a weighted average davg yes yes davg>dSLA lmax > lSLA Violation no no

  15. Testbed Setup Traffic Generator Ingress Router Core/Egress Router Traffic Sink NMS

More Related