1 / 15

Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01

Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01. Se Gi Hong & Henning Schulzrinne Columbia University. Overview of PBS. Objective Preventing Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. Network traffic authorization

yanni
Download Presentation

Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Permission-Based Sending (PBS) NSLP: Network Traffic Authorizationdraft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne Columbia University IETF 72 - NSIS

  2. Overview of PBS • Objective • Preventing Denial-of-Service (DoS) attacks and other forms of unauthorized traffic. • Network traffic authorization • A sender has to receive permission from the intended receiver before it injects any packets into the network. • Permission represents the authority to send data. • Deny-by-default • In the closed network (all end users have PBS NSLP functionalities) • The unauthorized traffic without permission is dropped at the first router by default. • In the open Internet (some end users do not have PBS NSLP functionalities) • The traffic from the end users who do not have PBS NSLP functionalities are rate-limited by default. IETF 72 - NSIS

  3. Design Overview • Distributed system • The permission is granted by the intended receiver of a data flow. • Signaling installs and revokes the permission state of routers for data flows. • Stateful system • A subset of routers keeps state for a data flow and monitors whether the flow is authorized. • Deployable system • PBS can be applied to current networks. • The PBS does not change IP and TCP/UDP packet header. • Existing security protocol is used. • IPsec • Scalable system • Not all routers need to be aware of PBS. • Reduce computational overhead. • Only the data packets from senders who are affected by the attacks use IPsec. IETF 72 - NSIS

  4. Design Overview • DoS defense mechanism • DoS detection mechanism • PBS Detection Algorithm (PDA) can detect DoS attacks. • PDA uses signaling messages to monitor the attacks. • Reaction mechanism against DoS attacks • Limited permission • Limited permission prevents overflow of data packets. • IPsec Authentication Header (AH) • For the authentication and integrity of data packets. • Changing data path • To avoid a compromised router that drops legitimate packets. IETF 72 - NSIS

  5. Three Components of the PBS NSLP Architecture • Path-coupled (on-path) signaling component • Installs and maintains permission state. • Monitors attacks, and triggers reaction mechanism against the attacks. • Authentication of signaling message is protected by IPsec AH. • Authorization component • Decides whether to grant permission (amount of data volume) for a flow • Detects and identifies the attack by PDA. • Decides the reaction mechanism against the attacks. • e.g., IPsec AH for data packet, changing data flow path • Traffic management component • Screens the data packets to see whether the data packets are authorized. • Drops the unauthorized packets using IP packet filter. • Calculates the volume of the data to monitor data flow. • Verifies the authentication of packets. IETF 72 - NSIS

  6. PBS NSLP Signaling Message • Two-way handshake • Query message • Sent by a sender to request permission • Requested application is described • Rate-limited by proof-of-work • Permission message • Sent by a receiver • Sets up (grants), removes (revokes) and modifies permission state • Triggers reaction mechanism against the attacks • Soft-state • The permission state is refreshed periodically by a soft-state mechanism IETF 72 - NSIS

  7. PBS Detection Algorithm (PDA) • Monitoring DoS attack • Use existing PBS NSLP messages (Query/Permission messages) • Use soft-state mechanism to periodically monitor the data flow • Basic operation of PDA • Query message sent by a sender contains the number of bytes that the sender has sent since the permission was granted • The receiver compares the number of bytes in the Query message and the number of bytes that the receiver has actually received • If there is a difference, the signaling message (Permission message) triggers the reaction mechanism IETF 72 - NSIS

  8. Back-up slides IETF 72 - NSIS

  9. On-path signaling Authorization PBS NSLP Processing NTLP (GIST) Processing Traffic Management Data flow Signal flow Control and configuration PBS NSLP Architecture IETF 72 - NSIS

  10. Query Message • Message type flag (M) • Set to M=0 to indicate the message is the Query message • Flow identifier • Descriptor of data flow • Source IP address, destination IP address, protocol identifier, higher (port) addressing, flow label, SPI field, DSCT/TOS field. • Requested volume (RV) • The number of bytes that a sender requests. • Volume information (V) • The number of bytes that a sender has sent since the sender received the permission from the intended receiver. • It is used to monitor the DoS attacks. • Public key (Ks) • The sender’s public key for the authentication of signaling packets. • An X.509 certificate is used for the digital signature. • Cryptography algorithm (C) • Cryptography algorithm to be used for the authentication field in IPsec AH. • C=00: RSA, C=01: DSA, C=10: ECDSA IETF 72 - NSIS

  11. Permission Message • Message type flag (M) • Set to M=1 to indicate the message is the Permission message • Flow identifier • Allowed volume (AV) • The number of bytes that a receiver grants a sender for the request. • Time limit (TTL) • Time limit for the permission of the data flow. • Refresh period (T) • Used for the soft-state of the permission. • Solution flags (S) • S=00: No reaction, S=01: IPsec AH with HMAC, S=10: IPsec AH with public key cryptography for the data flow. S=11: The sender needs to change data path. • Public key (Kr) • The receiver’s public key for the authentication of signaling packets. • An X.509 certificate is used for the digital signature. • Cryptography algorithm (C) • Cryptography algorithm to be used for the authentication field in IPsec AH. IETF 72 - NSIS

  12. Data flow Signal flow R1 Receiver R2 Sender Data flow 3 Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) 1 P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) 2 T Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) 4 P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) 5 Basic Operation of PBS NSLP IETF 72 - NSIS

  13. A (Attacker spoofing S’s address) Signal flow Attack flow (2MB) R2 R3 Receiver R1 4 Sender Data flow (1MB) 3 Query Query Query Query 1 Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) 2 Detect attack (1MB Vs 3MB) T Query (V=1MB) Query (V=1MB) Query (V=1MB) Query (V=1MB) 5 Permission (S=10) Permission (S=10) Permission (S=10) Permission (S=10) 6 Basic Operation of PDA Data flow IETF 72 - NSIS

  14. Data flow Signal flow (Attacker, Drop attack) R2 R1 R3 Receiver Sender Query Query 1 Query Query 2 Change data flow path Detection of Black Hole Attack T.O. T.O. IETF 72 - NSIS

  15. Data flow Signal flow (Attacker, Drop attack) R1 R3 R2 Receiver Sender Data flow (1MB) Data flow (1MB) 3 Query Query Query Query 1 Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) 2 Detect attack (1MB Vs 0MB) T Query (V=1MB) Query (V=1MB) Query (V=1MB) Query (V=1MB) 4 Permission (S=11) Permission (S=11) Permission (S=11) Permission (S=11) 5 Detection of Dropping Only Data Packets IETF 72 - NSIS

More Related