Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Accountability Internet Protocol (AIP) David G. Andersen (CMU) Hari Balakrishnan (MIT) Nick Feamster (Georgia Tech) Teemu Koponen (ICSI & HIIT) Daekyeong Moon, Scoot Shenker (UCB) In Proc. SIGCOMM, 2008 Speaker:Yun Liaw Outline Introduction AIP Design Uses of Accountability Routing Scalability with AIP Key management Traffic Engineering and AD Size Related Work, Conclusion and Comments 1 Speaker : Yun Liaw 2/13/09 Introduction Accountability: The fundamental ability to associate an action with the responsible entity The problematic requirements of past approaches: 1. Complicated mechanisms 2. External sources of trust (e.g., CA in S-BGP) 3. Operator vigilance (e.g., Ingress Filtering) AIP: A next generation network architecture that provides accountability as first-order property 2 Speaker : Yun Liaw 2/13/09 AIP Design 3 Speaker : Yun Liaw 2/13/09 AIP Design A simple generalization of Internet’s original two-level hierarchical addressing structure – AD:EID Accountability Domains (AD): Independently administered networks, each with a unique identifier Multiple levels in hierarchy of AD is supported End-Point Identifier (EID): Host-assigned globally unique identifier Interface bits (if): The last 8 bits of EID, in order to handle the hosts that attaches multiple times to the same AD General form of AIP – AD1:AD2:...:ADk:EID 4 Speaker : Yun Liaw 2/13/09 AIP Design Self Certifying: The name of an object is the public key that corresponds to that object ⇒ Accountability needs verifiable identity ⇒ We use cryptographic signatures for verification ⇒ The identifier should be bound to their public key ⇒ Security should not rely on manual configuration or trusted authorities AD: The hash of the public key of the domain EID: The hash of the public key of that corresponding host 5 Speaker : Yun Liaw 2/13/09 6 Speaker : Yun Liaw 2/13/09 Forwarding and Routing Before reach Dest AD Forward by Dest AD (next hop) only After reach Dest AD (next hop) border router Examine next field of Dest AD stack and replace Dest AD (next hop) After reach the last Dest AD Forward by Dest EID only 7 Speaker : Yun Liaw 2/13/09 Uses of Accountability 8 Speaker : Yun Liaw 2/13/09 Source Accountability: Detecting & Preventing Source Spoofing • uRPF (Unicast Reverse Path Forwarding): An automatic filtering mechanism that accepts packets only if the route to the packet’s source points to the same interface on which the packet arrived 9 Speaker : Yun Liaw 2/13/09 Source Accountability: EID verification 10 Speaker : Yun Liaw 2/13/09 Source Accountability: AD verification - Scalability Accept cache management: If the number of entries for single AD exceeds the threshold, upgrade to an single-AD wildcard AD:* Division of filtering responsibility: Border routers: Verify the source of customer whose return path does not go directly to the customer Interior routers: Need not perform further actions Peering routers: Large peers, will likely to trust the peer’s verification based on a bilateral contractual agreement 11 Speaker : Yun Liaw 2/13/09 Source Accountability: AD verification “Protect those who protect themselves” Limiting Address Minting EID limiting: Place EIDs/second limit on each port AD limiting: Limit the number of ADs that a customer could announce 12 Speaker : Yun Liaw 2/13/09 Source Accountability: Shut-off Protocol Smart-NIC (Smart Network Interface Card) 1. Check the hash 2. If hash matches, suppressing the traffic for the duration of TTL 13 Speaker : Yun Liaw 2/13/09 Source Accountability: Securing BGP AIP simplifies the task of deploying mechanisms, since IP lacks a firm binding between public keys, ASes, and prefixes Operators configure a BGP peering session, and the session is automatically aware of the public keys by identifying the peer AD BGP routers sign the routing announcements, and routers that receiving a update should verify before applying it Each router must be able to find the public key that corresponds to that AD 14 Speaker : Yun Liaw 2/13/09 Routing Scalability with AIP 15 Speaker : Yun Liaw 2/13/09 Routing Growth Estimation Diameter of the Internet / AS path length: shrinking Routing table size: BGP update volume: By 2020, when a BGP session resets, the routers will have to exchange ≥ 1.6 millions prefixes with each peer, ideally in a few seconds 16 Speaker : Yun Liaw 2/13/09 Routing Table Size 17 Speaker : Yun Liaw 2/13/09 Effects of Moving to AIP FIB (Forwarding Information Base) lookups become flat The prefix size (32 bits) and ASes (16 bits) will increase to 160 bits (hash of public key) Router will need to store a copy of each AD’s public key CPU costs for cryptographic operations (similar to S-BGP) The Internet diameter may keep unchanged 18 Speaker : Yun Liaw 2/13/09 Resource Requirements Semiconductor Growth Trends: Moore’s Law RIB & FIB storage (RAM): 19 Speaker : Yun Liaw 2/13/09 Resource Requirements Update processing (CPU): Routing table would grow by a factor of between 5 and 9 by 2020, and the Moore’s Law expects that CPU is grow by a factor of 16 Cryptographic overhead: By 2020, a commodity CPU should be able to verify 480K and create 13K signatures per second Verifying one signature for each route announcement from each 20 peers 66seconds of 20 peers would requires 1.6Mroutes 480000sigs /sec In summary, technology trends suggest that routing scalability with respectto memory, CPU and so on are all manageable 20 Speaker : Yun Liaw 2/13/09 Key Management 21 Speaker : Yun Liaw 2/13/09 Key Discovery The key is obtained automatically once the address is known Address can be obtained by any kind of lookup service: manually, S-DNS, etc. Assume that peering ADs can identify each other out-of-band 22 Speaker : Yun Liaw 2/13/09 Key Registries Maintain a public registry for each AD and the ADs to which each EID is bound Assumption: The existence of global registries where principals can register cryptographically signed assertions The existence of per-domain registries that can be housed by the ISP itself Advantages: No need for any central authority. The registry verifies the signature before storing data The registry can be populated by the entities involved, with no need for human intervention or involvement 23 Speaker : Yun Liaw 2/13/09 Key Registries Class of Assertions in the registries: Keys: {X,KX } Revoked keys: {K X ,is _ revoked}K 1 X Peerings: {A,K A ,B,K B }K {A,K A ,B,K B }K ADs of EID X: {A, X} 1 A 1 B K A1 K B1 First hop router of X: {Router, X, MACX }K 1 K 1 Router X 24 Speaker : Yun Liaw 2/13/09 Key Registries Maintaining the domains registry – by AD Forcing domain to sign A:X entries before the DNS server and resolvers will accept them as the result of a DNS resolution Using the registries: For hosts: Check the global registry for which domain are hosting it, and check the domain-specific registry for first-hop routers are hosting it For domains: Checks the global registry to see which domains claim to be peering with it 25 Speaker : Yun Liaw 2/13/09 Traffic Engineering and AD Size 26 Speaker : Yun Liaw 2/13/09 Traffic Engineering Goal: To map an offered load on to a set of available paths ADs cannot be split into sub-prefixes for finer control over routing AD Granularity AD: A group of nodes that meets these two criteria– They are administered together They would fail together under common network failures AD granularity corresponds roughly to the way in which connectivity to the network changes 27 Speaker : Yun Liaw 2/13/09 Traffic Engineering Splitting ADs for TE ISPs could creating an AD from each prefix in the widearea BGP routing tables One can use interface bits in order to sub-divide an AD DNS-based load balancing Server-centric view: How to load balance traffic destined for a particular service across machines in a cluster or across data centers AIP’s interface bits might simplify the load-balancing by representing a service as a single “host” multiple times 28 Speaker : Yun Liaw 2/13/09 Related Work, Conclusion and Comments 29 Speaker : Yun Liaw 2/13/09 Related Work & Conclusion Related Work Self-certifying names (CGA, HIP) Separating identifiers and locators (GSE/8+8) Scalability Source accountability (packet filtering, Passport) Control-plane accountability (S-BGP, soBGP) Conclusion Using a simple hierarchical addressing scheme with self- certifying components to enable accountability, to solve source spoofing, DoS traffic, and S-BGP 30 Speaker : Yun Liaw 2/13/09 Comments Some assumptions seems not feasible today (e.g., global key registry) Who should hold the accountability? The Next-Generation network architecture would always face the problem that how to make people adopt it Do we really need accountability as the first-order property in Internet? 31 Speaker : Yun Liaw 2/13/09