350 likes | 434 Views
On Information Hiding and Network Management. (A Position Paper). Kenneth L. Calvert and James Griffioen Laboratory for Advanced Networking Department of Computer Science University of Kentucky. Thanks: Cisco, Kentucky Science and Eng. Foundation. The Network Management Tussle.
E N D
INM Workshop, SIGCOMM 2006 On Information Hiding and Network Management (A Position Paper) Kenneth L. Calvert and James Griffioen Laboratory for Advanced Networking Department of Computer Science University of Kentucky Thanks: Cisco, Kentucky Science and Eng. Foundation
INM Workshop, SIGCOMM 2006 The Network Management Tussle • Service Providers have to: • compete with each other • cooperate with each other • Network Management requires information • About the network being managed • About the rest of the Internet • Providers want to hide information about their networks
INM Workshop, SIGCOMM 2006 Why Hide Information? • Competitive Pressures • Reveal as little as possible about business practices, customer relationships • Customer Privacy • Concerns about possible repercussions of revealing, e.g. communication patterns • Safety and Security • Detailed information about a provider’s system may make it easier to attack.
INM Workshop, SIGCOMM 2006 Why Not Hide Information? • It is useful for network management: • Where are the packets being dropped? • What is the maximum number of dropped packets in this part of the network? • How many routers have seen packets sent to strange ports? • It is also useful for applications/users generally: • Where are the packets being dropped? • Which end-to-end paths share congested links? • What is the maximum 5-sec average queue length along this path? • What is the maximum loss rate experienced by any receiver?
INM Workshop, SIGCOMM 2006 Existing Network Mgmt (SNMP) • Low-level interface to available information • Get/Set • One-to-one communication model • Higher-level functions tend to be vendor-specific • Inadequate trust model • Choose between insecure or heavyweight authentication • Signature verification overhead opens DoS possibilities • Scalability issues (See also [IAB 2004]) • No convenient way to probe a group of nodes • Hard to manage policies for large numbers of nodes SNMP cannot support a NM paradigm shift!
INM Workshop, SIGCOMM 2006 What is needed? (aka: our position) • Per-packet Access: Any packet should be able to request (read) information from any router. • Minimal Policy: Minimize distinctions among packets regarding access to information facilities. • Processed Information: Needs to be possible to collect and process data (e.g., perform aggregation/summarization) to hide information and/or improve scalability. • Information Hiding: Information may be modified as it crosses a provider’s boundary, allowing providers to control how data is made available (exposed) to the outside world. For Users For Providers Note: Existing heavyweight mechanisms can still be used when needed.
INM Workshop, SIGCOMM 2006 Border Routers Local (Inside) Domain External (Outside) Domain External (Outside) Domain Border Links Assumptions The rest of the World • Providers manage domains • Domains define information hiding boundaries • Nodes (routers/end systems) are either inside or outside a given domain • Nodes inside the domain with links to one or more nodes outside the domain are border routers • Links connecting border routers in different domains are known border links • Packets get lower authorization if they cross a border link
INM Workshop, SIGCOMM 2006 Techniques for Hiding while Exposing • Aggregation • Anonymization • Abstraction Implementation Context: Ephemeral State Processing (ESP) • Supports simple distributed computations w/state • Operates at line-speed (per-packet processing, near the fast path) • ESP-NM: read-access to (some) MIB variables
INM Workshop, SIGCOMM 2006 Ephemeral State Store • Information persists for a fixed time, then vanishes • a few seconds • Stored information cannot be refreshed • An associative store • Binds tags to values (partial function ƒ) • Semantics: • put(t, v): establishes ƒ.t = v • get(t): if ƒ defined at t, return ƒ.t; else return null • Users choose tags randomly
INM Workshop, SIGCOMM 2006 Aggregation • Goal: Hide individual values collected from a set of nodes • Idea: use an aggregation function to compute a “representative” value • Example Functions: Max, Min, Avg, Sum, etc … • Example Uses: • Identify the receiver with max loss rate in a group • Find the path with shortest average queue length • Compute the overall network load • Advantages: • Hides information • Simplifies the interface: less information to deal with • Distributes processing
INM Workshop, SIGCOMM 2006 Aggregation Implementation (using ESP-NM) • Two (triggered) phases • Establish child counts at every router on the path to the monitor node • Send individual values along with aggregation operation (e.g., max, min, sum, etc) • Example: Collect minimum value from a set of receivers
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 1) Operands: Counter tag c Threshold value 1 COUNT B A D S r1 r2 r3 C E Time=1
INM Workshop, SIGCOMM 2006 Feedback Aggregation(Phase 1) COUNT B A D S r1 r2 r3 (c,1) C E Time=2
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 1) COUNT B A D S r1 r2 r3 (c,1) (c,1) (c,1) C E Time=3
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 1) COUNT B A (c,1) D S r1 r2 r3 (c,1) (c,2) (c,1) C E Time=4
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 1) COUNT B A (c,2) D S r1 r2 r3 (c,1) (c,2) (c,2) C E Time=5
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 1) B A (c,3) D S r1 r2 r3 (c,1) (c,2) (c,2) C E Time=6
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 2) B A (c,3) D S r1 r2 r3 (c,1) (c,2) (c,2) C E Time=7
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 2) B A (c,3) D S r1 r2 r3 (c,1) (c,2) (c,2) C E Time=8
INM Workshop, SIGCOMM 2006 3 Feedback Aggregation (Phase 2) COLLECT B A (c,3) D S r1 r2 r3 (c,1) (c,2) (c,2) C E Time=9
INM Workshop, SIGCOMM 2006 2 Feedback Aggregation (Phase 2) B A (c,3) D S r1 r2 r3 (c,1) (c,1) (v,3) (c,2) C E Time=10
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 2) B A 5 (c,3) D S r1 r2 r3 (c,1) (c,1) (v,3) (c,1) (v,2) C E Time=11
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 2) B A (c,2) (v,5) 2 D S r1 r2 r3 (c,1) (c,1) (v,3) (c,1) (v,2) C E Time=12
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Phase 2) B A (c,1) (v,2) D S r1 r2 r3 (c,1) 4 (c,1) (v,3) (c,1) (v,2) C E Time=13
INM Workshop, SIGCOMM 2006 2 Feedback Aggregation (Phase 2) B A (c,0) (v,2) D S r1 r2 r3 (c,1) (c,1) (v,3) (c,1) (v,2) C E Time=14
INM Workshop, SIGCOMM 2006 2 Feedback Aggregation (Phase 2) B A (c,0) (v,2) D S r1 r2 r3 (c,1) (c,1) (v,3) (c,0) (v,2) C E Time=15
INM Workshop, SIGCOMM 2006 2 Feedback Aggregation (Phase 2) B A (c,0) (v,2) D S r1 r2 r3 (c,1) (c,0) (v,2) (c,0) (v,2) C E Time=16
INM Workshop, SIGCOMM 2006 Feedback Aggregation (Result) B A (c,0) (v,2) D S r1 r2 r3 2 (c,0) (v,2) (c,0) (v,2) (c,0) (v,2) C E Time=17
INM Workshop, SIGCOMM 2006 Anonymization • Goal: Obscure the identity of network elements while maintaining the ability to differentiate among nodes, domains, etc. • Idea: Return anonymized data, but maintain (locally) the mapping between anonymized values and real values • Think cookies • Example Uses: • Find most heavily loaded router along a path (without revealing its identity), then query that router for additional info • Determine whether two paths traverse the same domain without revealing which domain • Advantages: • Allows providers to hide private information while releasing enough information for users to differentiate/compare/query internal nodes
INM Workshop, SIGCOMM 2006 Anonymization Implementation(using ESP-NM) • Anonymization can occur: • At the node that creates the response, OR • At a border router (similar to NAT) • Similarly, identity instantiation occurs: • At the node that anonymized value • At the border router that anonymized the value • Issue: routing to anonymized nodes • Send to same destination as the original information request so the packet follows the same path, OR • Border routers replace source address with their address
INM Workshop, SIGCOMM 2006 Abstraction • Goal: View a group of nodes as a single entity • Idea: Domain administrator defines virtual entities, border routers create the illusion of a single entity • Example Entities:Virtual path from the ingress to egress of a domain, or the domain looks like a virtual node • Example Uses: • Return the loss rate of the internal path across a domain as if it were a single link • Compute the delay across the virtual path connecting the ingress and egress points of a domain • Advantages: • Hides identities of group members • Allows set of network elements to be treated as a single element
INM Workshop, SIGCOMM 2006 Abstraction Implementation(using ESP-NM) • "Push" a new ESP computation on entry to a domain, and "Pop"/use the result on exit from the domain • Routers know when a packet is entering and exiting a domain • Example: packet finds max link delay • Upon entry, border router pushes “add <delay>” operation to sum delays of links inside the domain • Upon exit, border router pops computed delay value for the path, and uses it as one value in the original ESP request for link delay
INM Workshop, SIGCOMM 2006 Dangers/Concerns • Are additional techniques required? • How can exposed information be misused? • Can border transformations be implemented efficiently (DoS-free)? • Do network management packets really need fast-path processing? • Is read-only sufficiently useful?
INM Workshop, SIGCOMM 2006 Summary • A tussle now exists among providers and (other) potential users of network information • Network information is not just for network administrators • NM paradigm shift demands new capabilities (per-packet access, simple processing, info hiding) • Proposed solution based on Ephemeral State Processing • Make (some) management information available to all • Processing functions: Aggregation, Anonymization, Abstraction • Some (ESP) operations implemented in every router, on or near fast path • Sanitizing operations implemented at domain borders
INM Workshop, SIGCOMM 2006 Questions?