1 / 31

Policy Enforcing for Probe Based Admission Control

Policy Enforcing for Probe Based Admission Control. Master of Science Thesis. Marcello Conte. Royal Institute of Technology (KTH), Dept. Of Teleinformatics (IT) Stockholm, Sweden Politecnico di Torino, Dept. Of Computer and Control Engineering Turin, Italy.

duc
Download Presentation

Policy Enforcing for Probe Based Admission Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Policy Enforcing for Probe Based Admission Control Master of Science Thesis Marcello Conte

  2. Royal Institute of Technology (KTH), Dept. Of Teleinformatics (IT)Stockholm, SwedenPolitecnico di Torino, Dept. Of Computer and Control Engineering Turin, Italy • Technical Advisor: Ignacio Más Ivars • Supervisor at KTH/IT Viktória Fodor • Supervisor at Politecnico di Torino Antonio Lioy Policy Enforcing for Probe Based Admission Control

  3. Content • Background • Probe Based Admission Control (PBAC) • Testbed Architecture • Policy Enforcing Protocol • Performance Evaluation • Conclusion & Future Work Policy Enforcing for Probe Based Admission Control

  4. Background • Predictable QoS guarantees for Real Time services • Integrate and support multimedia applications: • VoIP, video/audio streaming etc. • Best-Effort service unsatisfactory • IETF set up working groups: • IntServ RFC 1633 • DiffServ RFC 2475 Policy Enforcing for Probe Based Admission Control

  5. Measurement Based Admission Control (MBAC) • Solve scalability problems • Combine IntServ and DiffServ architecture • Access control at the edge nodes: • Probes the network to experience the congestion level • Performs measurement on: • Packet loss percentage, packet delay • Accept/reject incoming session Policy Enforcing for Probe Based Admission Control

  6. Probe Based Admission Control (PBAC) • Provides a Controlled Load Service (CLS) • Upper bound on packet loss, low delay • Probe packets include: • Peak bit rate, time duration, session identifier • Router support: • Distinguish probe and data packets • Serve packets with priority • Trust between network and end-users Policy Enforcing for Probe Based Admission Control

  7. PBAC requirements • Sender does not transmit data: • At a higher bitrate than the one agreed • If rejected by the receiver • Receiver: • Take a reliable admission decision • Protection of the probing flow Policy Enforcing for Probe Based Admission Control

  8. Testbed architecture • Hardware: • Celeron 800MHz, RAM 128 MBytes Xmms Internet FFserver Policy Enforcing for Probe Based Admission Control

  9. Testbed architecture Xmms FFserver CLS provider CLS provider Internet AG AG Policy Enforcing for Probe Based Admission Control

  10. User’s misbehavior Intruder attack Security issue Xmms FFserver Internet AG AG Policy Enforcing for Probe Based Admission Control

  11. Policy enforcing protocol • Collection of cryptographic mechanisms • Assist the probe phase of the PBAC • Functions: • Monitors PBAC users behavior • Protects the probe phase from intruder attacks • AG support at the border of the network Policy Enforcing for Probe Based Admission Control

  12. Cryptographic mechanisms • Entity authentication • Signature scheme, Certificate extension • Message integrity check • SHA-1, MD5, MAC, etc. • Key exchange • Diffie-Hellman, Needham-Schroeder, etc. • Message Encryption • RC4, DES, RSA, IDEA, etc. Policy Enforcing for Probe Based Admission Control

  13. Monitor user’s behaviour Checking the CLS API used Protect the probing flow Encrypting the link Code authentication Secure tunnel Solution Policy Enforcing for Probe Based Admission Control

  14. Code authentication (CA) • Forces the end-users to follow the steps of PBAC • Makes sure AGs about the CLS API authenticity • Requires end-users to show an authentication key Policy Enforcing for Probe Based Admission Control

  15. Key Digest Code authentication (CA) • AG generates a key • End-user: • Computes MAC on the CLS API • Sends back the digest • AG: • Checks the validity of the digest • Accept/reject end-user End-user AG Policy Enforcing for Probe Based Admission Control

  16. AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control

  17. VA,sSA(IPA,IPB) VB,sSB(IPB,IPA) RSA signature • AGs authentication • AGA sends a public verification key VA and a signed message with both the IP address of the AG • AGB verifies AGA AGB AGA • AGB sends a public verification key VB and a signed message with both the IP address of the AG • AGA verifies AGB Policy Enforcing for Probe Based Admission Control

  18. AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control

  19. p, g, ga sSA(ga,gb) gb,sSB(gb,ga) Key exchange protocol • AGA generates a prime random number p and a random exponent g • AGA picks a random number a and sends the parameters and the public key ga • AGB picks a random number b and sends the public key gb and a signed message with both the public keys AGB AGA • AGA sends a signed message with both the public keys as acknowledgment • Both AGA and AGB compute the shared key K = gab Policy Enforcing for Probe Based Admission Control

  20. AGs involved in the communication: Authenticate themselves Share a secret key Cover the messages exchanged Policy enforcing protocol task: RSA signature Key exchange protocol Encryption Secure tunnel establishment Policy Enforcing for Probe Based Admission Control

  21. eK(probe packets) eK(Admission packet) Message encryption • Using fast algorithm to lower the delay of the encryption/decryption • RC4 • To cover: • The content of the probe packet AGB AGA • The admission decision Policy Enforcing for Probe Based Admission Control

  22. Connection shutdown • If a security check fails: • The AGs do not forward packets between the end-users • The AGs close the sockets to the end-users • User forced to repeat the procedure • Otherwise: • The probe phase begins Policy Enforcing for Probe Based Admission Control

  23. CA evaluation • Test performed varying the size of the key • Digest computed on the CLS API of 1 Mbytes • Average value of 53 msecs • The size of the key does not affect the delay in computing the digest Policy Enforcing for Probe Based Admission Control

  24. RSA evaluation • Test performed varying the size of the public and private keys • Complexity in generating the public/private keys • Delay introduced by the sign/verify functions • Delay increases with the size of the keys Policy Enforcing for Probe Based Admission Control

  25. KEP evaluation First test • The RSA signature scheme affects the KEP • Shared key size fixed to: • 16 bytes • Varying the size of the RSA keys • Delay: • introduced by the RSA sign/verify functions • Increases linearly Policy Enforcing for Probe Based Admission Control

  26. KEP evaluation Second test • Fixed size of the RSA keys • Varying the size of the shared key • Exponential trend due: • Complexity in generating shared parameters (p,g) • Delay for computing the shared key • The security level increases the delay Policy Enforcing for Probe Based Admission Control

  27. Policy enforcing setup delay • Evaluation of the delay that the protocol introduces • Delay increases with the security level • Trade off between the security level and the delay • Suggest set of parameters: • CA 1024 bytes • RSA 128 bytes • KEP 32 bytes 2937 msecs • Delay introduced: • CA 52 msecs • RSA 1799 msecs • KEP 1086 msecs Policy Enforcing for Probe Based Admission Control

  28. Policy enforcing setup delay • Probe duration time in the worse case: 5 secs • Policy enforcing protocol delay: 2937 msecs • Delay for the service provision: ~ 8 secs • Medium security level • Delay comparable to the probe duration time • Reliable upper bound on the service provision Policy Enforcing for Probe Based Admission Control

  29. Conclusion • Simple and fast and flexible security solution • The scheme offers: • Assurance about end-user’s identity • Protection of the probing flow from intruder attack • Testbed implemented: • Does not require any change within the network topology • Requires a cryptographic interface to run on the AGs • End-user’s applications to support the code authentication feature Policy Enforcing for Probe Based Admission Control

  30. Future work • Add certificate extensions (X.509) for authentication • Strengthen the KEP with timestamp and encryption of message exchanged. • Test the scheme using other encryption algorithm (DES, IDEA, etc.) • Test the protocol using different hardware for the simulation • Test the protocol simulating multiple simulaneous connection to AGs Policy Enforcing for Probe Based Admission Control

  31. Any Question?

More Related