1 / 13

Holding the Internet Accountable

Holding the Internet Accountable. David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker. IP Layer Names Don’t Have Secure Bindings. There are three kinds of IP layer names: IP address, IP prefix, AS number No secure binding of host to its IP addresses

emelda
Download Presentation

Holding the Internet Accountable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker

  2. IP Layer Names Don’t Have Secure Bindings • There are three kinds of IP layer names: IP address, IP prefix, AS number • No secure binding of host to its IP addresses • No secure binding of AS number to its IP prefixes

  3. Problematic Result: IP Lacks Accountability • Any host can spoof any other host • No intrinsic support in IP to detect or prevent • A network can advertise prefixes arbitrarily • Many misconfigs; some examples of ill intent • S-BGP requires external mechanisms to bind prefix to AS and AS to public key • No intrinsic support in IP to detect or prevent • Accountability: Ability to associate action with entity or hold entity responsible for action • Basis for security in real-world • Foundation for raising level of Internet security

  4. AIP: Accountable Internet Protocol • Goal: Intrinsic support for network-layer accountability in the Internet • Key idea: New addressing (naming) scheme for networks and hosts • Simple protocols that use properties of addressing scheme as foundation • Securing BGP, anti-spoofing, targeted traffic throttling (anti-DoS)

  5. Address = AD1:EID Each host has a global EID [HIP, DOA, LISP] AIP Addressing Autonomous domains,each with unique ID(smaller than an AS) AD2 • AD and EID are self-certifying [SFS] flat names • AD = hash(public_key_of_AD, other_stuff) • Self-certification binds name to named entity AD1 AD3 If multihomed, has multiple addressesAD1:EID,AD2:EID,AD3:EID • AD and EID are self-certifying [SFS] flat names • AD = hash(public_key_of_AD, other_stuff) • Self-certification binds name to named entity

  6. Routers in R, G, B use only AD field to forward: route_lookup(Y) AIP Forwarding and Routing AD G AD B AD R AD Y Source Y:EID Once packet is in AD Y (destination AD), Y’s routers: route_lookup(EID) Inter-AD routing uses AD numbers as routing objects: Y: AD path = [B G R]; B: AD path = [G R]; etc.Note absence of prefixes Intra-AD routing disseminates EIDs (many ways possible)

  7. With AIP Addresses, Accountability is Intrinsic • (Recall) Ability to associate action with entity or hold entity responsible for action • Control-plane accountability improves security of routing protocol (BGP) • Source accountability detects spoofing and forgery • Also helps throttle traffic from “well-intentioned” [Shaw] compromised hosts • Mechanisms borrow ideas from previous work [S-BGP, uRPF], but goals achieved more readily

  8. Control-Plane Accountability (for BGP) • Origin authentication: Ensure routing prefix being originated by AS X actually belongs to X • Path authentication: Ensuring accuracy of AS path • S-BGP and soBGP require external infrastructures • Routing registry recording prefix ownership • PKI (database) mapping AS to its public key • In practice, registries notoriously inaccurate • With AIP: ADs exchange pub keys via BGP messages • Path auth identical to S-BGP (but no PKI) • Origin auth achieved “just like that” (no registry)

  9. Source Accountability: Detecting Spoofing • Property 1: When challenged, only entity with AD A’s private key can prove packet was sent with source address A: • Property 2: When challenged, only entity with EID E’s private key can prove packet was sent with source address :E • Any entity seeing packet can check these two properties using a verification protocol

  10. Accept &forward Y In accept cache? Receive nonce resp N N Local AD? Trust nbhrAD? Verify signature Add A (or E):ifaceto accept cache Y AIP Verification Protocol Receive pktw/ srcA:E Y SLA, uRPF,… N Drop pktSend nonce to A or E Nonce response must be signed w/ A’s (or E’s) priv key

  11. AIP Enables Secure Shut-Off • Problem: Compromised host X sending stream of unwanted traffic to destination D • X is “well-intentioned”, owner benign [Shaw] D X Shut-off packet signed by D to X:{time, D’s pub key, hash of recent pkt recd from X by D, TTL} • Can send shut-offs to hosts or to ADs • Shut-off scheme implemented in NIC firmware • Immutable by host software (updates require physical access via USB/serial port)

  12. Limitations and Concerns • AIP handles spoofing, but what about minting? • Any entity can make up self-certified addresses • Each AD must control #EIDs per host to protect • Any entity can make up routing announcements for non-existent ADs • We’re studying a few approaches to this problem • Key management and compromise? • Each AD has master key pair and current key pair; uses master to issue change • But AD number and all its addresses must change • More concerns in paper: routing scalability wrt state and update volume), traffic engineering, …

  13. Conclusion • Q: How to achieve network-layer accountability in an internetwork? • A: Self-certifying internetwork addresses • AD:EID (AIP) • Each field derived from public keys • Control-plane (routing) and source (anti-spoofing) accountability are now intrinsic • Ideas compose well with other mechanisms for mobility, higher availability, etc.

More Related