1 / 30

Stealth Probing: Efficient Data-Plane Security for IP Routing

Stealth Probing: Efficient Data-Plane Security for IP Routing. Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford. Hosts vis-à-vis Routers (Attacks against Availability). Routing Fabric (Routing Protocols). Routing Fabric (Data Forwarding). AS: Autonomous System.

senwe
Download Presentation

Stealth Probing: Efficient Data-Plane Security for IP Routing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Stealth Probing: Efficient Data-Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford

  2. Hosts vis-à-vis Routers(Attacks against Availability)

  3. Routing Fabric(Routing Protocols)

  4. Routing Fabric(Data Forwarding)

  5. AS: Autonomous System AS: Autonomous System AS: Autonomous System AS1 AS1 AS1 AS2 AS2 AS2 AS0 AS0 AS0 AS4 AS4 AS4 AS3 AS3 AS3 Attacks against the Routing Fabric(Breaking Perimeter Defense) Perimeters can be broken because of: Disgruntled network operators Password guessing Exploits of the OS

  6. Attacks against the Routing Fabric(Routing Protocol Attacks and Defenses) • These attacks game the routing state by falsifying routing protocol messages • Falsifications come in two flavors: • Modification of en-route protocol messages • Collusion (or wormhole) attacks • Secure routing protocols protect from the modification of protocols messages • They do not protect from wormholes • They do not verify forwarding behavior

  7. DATA DATA DATA Limitation of Secure Routing Protocols(Data-Plane Adversary)

  8. Attacks against the Routing Fabric (Data-Plane Attacks) • Link layer disruption • Physical layer attacks • Medium access control layer attacks • Network layer disruption • Packet loss • Packet modification • Packet delay • Packet deflection • Transport layer disruption • Attacks against the congestion control mechanism

  9. Securing the Routing Fabric(Defending against Data-Plane Attacks) • Availability monitoring • Easy for the traffic source • Difficult from within the network • Fault localization • Beaconing and traceroute egregiously fail in adversarial networks • In adversarial networks, fault localization is difficult but necessary

  10. Overview • Introduction • Stealth Probing • Intradomain Deployment -- Byzantine Tomography • Interdomain Deployment -- Secure Route Control • Related Work • Conclusion

  11. Availability Monitoring(Problem Formulation)

  12. Naïve Solutions • Probing (e.g., ping) • Cumulative network-layer ACKs • Transport-layer ACKs ingress egress

  13. Stealth Probing(Approach) • Prevent the adversary from preferentially treating probing traffic by making data and probing traffic indistinguishable • Three steps • Create an encrypted tunnel and divert both data and probing traffic in the tunnel • Match the size of probing traffic with that of the data traffic • Obscure the timing of probes

  14. Stealth Probing(Approach---continued) ingress router egress router

  15. Stealth Probing(Approach---continued) ingress router egress router

  16. Stealth Probing(Primary Benefits) • Non-intrusive (low overhead) • Detects “delay attacks” (by measuring the round-trip-times of probing traffic) • Prevents selective low-rate attacks that target individual IP addresses (by hiding the source and destination IP addresses of data traffic) • Mitigates attacks that exploit TCP (by making the TCP mechanism “opaque”)

  17. Stealth Probing(Secondary Benefits) • Encryption protects unencrypted host-to-host communications • Fate-sharing between data traffic and probes is broadly useful in network troubleshooting • Tunnels are useful in traffic engineering

  18. Overview • Introduction • Stealth Probing • Intradomain Deployment -- Byzantine Tomography • Interdomain Deployment -- Secure Route Control • Related Work • Conclusion

  19. Basic idea • Fault localization without overburdening the data plane: • Terminal nodes monitor path availability • Terminal nodes disclose faulty paths to a designated network entity • This entity “triangulates” adversarial nodes and links from the collection of faulty paths

  20. Byzantine Tomography(Model)

  21. Byzantine Tomography(Approach) Solves Minimum Hitting Set

  22. Byzantine Tomography(Basic Property) • Output from Byzantine tomography is not always accurate • However, accuracy increases as fault knowledge expands • Therefore, the higher the adversary’s impact, the more likely it is that the adversary will be correctly detected

  23. Overview • Introduction • Stealth Probing • Intradomain Deployment -- Byzantine Tomography • Interdomain Deployment -- Secure Route Control • Related Work • Conclusion

  24. Secure Route Control AS B (Stub) Provider Provider Provider Provider Provider AS A (Stub)

  25. Secure Route Control (cont.) AS B (Stub) Provider Provider Provider Provider Provider AS A (Stub)

  26. Overview • Introduction • Stealth Probing • Intradomain Deployment -- Byzantine Tomography • Interdomain Deployment -- Secure Route Control • Related Work • Conclusion

  27. Related Work • Perlman proposed encryption to make data and control traffic indistinguishable • Perlman proposed encryption at network links • We extend this idea to network paths • Mizrak et al. proposed Fatih as a secure data-plane availability monitor • Fatih requires clock synchronization • Stealth probing does not rely on clock synchronization • Several researchers have proposed data-plane mechanisms for secure fault localization • Byzantine tomography is a management-plane technique

  28. Conclusion (1) • Resilience was a top priority in the design of the operational Internet but the threat model was naïve (vis-à-vis today’s attacks) • In future networks, we should expect to see • better perimeter defense and • in-depth defense • secure routing protocols • secure data forwarding • Stealth probing is a secure availability monitor that works by concealing probing traffic

  29. Conclusion (2) • We presented deployment scenarios of this monitor in • Intradomain routing and • Interdomain routing • Our ongoing work focuses on … : • Intradomain case: … improving the accuracy of Byzantine tomography • Interdomain case: … investigating the benefits of more flexible interdomain path selection schemes

  30. Thank you Questions

More Related