Next-Generation Secure Internet:Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song
Everybody Understands Need for NGSI • Webby award • Annual award for achievement in Web creation • Recipients get five words only for their acceptance speech • Vint Cerf: “We all invented the Internet” • Al Gore received Webby award this year • Responsible for spearheading critical legislation and providing much-needed political support • Speech: “Please don’t recount this vote” • “It is time to reinvent the Internet for all of us to make it more robust and much more accessible and use it to reinvigorate our democracy”
Background • Internet designed for trustworthy environments • Goal was to provide efficiency, scalability, robustness assuming a benign environment • Fact: Internet protocols vulnerable to attacks, e.g., BGP, DNS, TCP/IP, … • Hosts are even worse • Today: businesses, government, society rely on Internet • As of January 2005: 317,646,084 hosts (isc.org) • Not all of them are benign!
Attacker/Trust Model • Any network node may be compromised • Endhosts • Including network management and operations machines • Routers and other network elements • Different impact when a network infrastructure element is compromised • Compromised nodes may collude
NGSI Security Requirements • A desired outcome of this workshop is to establish list of desired NGSI security properties • Main security requirement is availability • Need availability of forwarding service, configuration and management services, etc., even in face of DDoS attacks • Fast recovery/convergence after perturbations • Other security properties can usually be implemented end-to-end • Confidentiality (data, topology, identity, …) • Integrity (data, routing info, forwarding path, …)
Networking Functional Planes • Control plane • Function: route set up and signaling • Requirement: accuracy, consistency, convergence • Data plane • Function: packet forwarding • Requirement: availability, resilience to control plane vulnerabilities • Management plane • Function: configuration and monitoring • Requirement: availability
Security Approaches • Prevention • Harden protocol itself • Eliminate attacks at design time • Detection and recovery • Monitor behavior of participants • Upon detection of misbehavior: eliminate malicious nodes, restore functionality • Resilience • Graceful performance degradation in the presence of compromised nodes and hosts • Deterrence • Provide legal disincentives
Sample Control Plane Design Points • [prevention]Cryptographic primitives to prevent routing information falsification • [prevention] Leveraging trusted computing technology • Example: help implement secure routing • [detection] Lightweight intrusion detection • [resilience] Various redundancy mechanisms for survivability • [deterrence]Trace intrusions
Sample Data Plane Design Points • [prevention] Infrastructure-enforced flow regulation • [prevention] Network firewalls / network filter infrastructure • [detection] Data plane intrusion detection • [resilience] Secure source-controlled routing • [deterrence] Persistent network identity to assist forensic inquiries • [deterrence]Trace and/or identify data origin
Sample Management Plane Design Points • [prevention] Isolated configuration channels provide resistance to flooding and packet injection attacks • [detection] Detect password-guessing attacks on network devices (hopefully we won’t base authentication on passwords only!) • [resilience] Tolerate misconfigurations
Design Considerations • What design considerations should we recommend to community? • Sample guidelines • Minimal trust? • Small router state? • Minimal network layer functionality? • Favoring prevention over detection/recovery over resilience over deterrence? • Facilities for deterrence, while protecting privacy?
Conclusion • For next-generation secure Internet, build security into every component at every level • Redesign protocols with security as a central design requirement • Utilize comprehensive security approach, leveraging prevention, detection/recovery, resilience, and deterrence • Consider social aspects: ease-of-use, privacy
Workshop Report Format • Workshop goals • Build community consensus for need of a next-generation secure Internet (NGSI) • Establish requirements for NGSI • Explore problem space • Identify promising research directions • Recommendations to NSF and community • Structure of each report section on topic X • Properties NGSI should provide for X • Challenges and design considerations • Potential approaches and methods