Download SAVAH: Source address validation with Host Identity Protocol

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Airborne Networking wikipedia , lookup

AppleTalk wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Computer security wikipedia , lookup

Computer network wikipedia , lookup

Peering wikipedia , lookup

Network tap wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Net bias wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Distributed firewall wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
SAVAH: Source address validation with Host Identity Protocol
Dmitriy Kuptsov
[email protected]
December 9, 2009
Outline
• Address spoofing
• Related work
• SAVAH approach
• Implementation
• Deployment and performance evaluation
• Security thread analysis
• Summary
Source address spoofing
•Routing is done using only destination IP address
– Source IP address is not validated nor authenticated
– Malicious users can forge nodes in the Internet
– Gives “green” light for various attacks, such as DoS attacks •Accounting in the Internet is not an easy thing
– If the address was not authenticated it is hard to trace back the originator of the network communication
– Using cryptography based authentication can solve the problem
Related work
•The existing approaches for validating a source IP address in the Internet:
– Cryptography based validation
– Filtering (egress/ingress)
– “Trace back” methods
•Cryptography based solutions provide good security but require large scale deployment
•Filtering based solutions, such as ingress filtering, are easy to deploy but lack security and accountability properties
•“Trace back” approaches look promising but still require large deployment and are less secure than the cryptography based solutions
SAVAH Extension
•SAVAH: Source address validation architecture with Host Identity Protocol (HIP)
•Using HIP we can authenticate the traffic by:
– A plain HIP/IPSec communication with filtering based on the list of allowed Host Identity Tags (HITs)
– A source address authentication with HIP and SAVAH extension
– A source address authentication with HIP and SAVAH in tunnelling mode
•Replacement of CGA based authentication in a local area network
•The solution is suitable both for IPv6 and IPv4 networks
Pros and Cons
•Advantages:
– Strong authentication based on cryptographic properties, can also serve to control a network access – Traffic accounting and malicious activity logging
– Limited DoS attack prevention mechanism
– Incremental deployment, no need to modify all hosts in the Internet at once
•Drawbacks:
– Modifications of the hosts in the local network are required
– A bit slower than regular ingress filtering, because of signature checks
SAVAH implementation
Registration with router
•Step 1: Locator assignment and host identifier registration
– The HIT is registered (added to a list of allowed identifiers) on the first­hop router. How do we do that?
– The host gets the locator (IP address) through one of the available mechanisms:
• Stateful or stateless autoconfiguration
• Manual configuration
•Step 2: The host discovers the SAVAH router
– The identifier of router can be obtained through:
• Stateless or stateful autoconfiguration • Manual configuration
• Opportunistic service discover procedure
Registration with router (continue)
•Step 3: Registration with SAVAH service
– Accomplished with HIP service registration procedure described in RFC 5203 “Host Identity Protocol (HIP) Registration Extension”
– Registration succeeds if:
• During HIP base exchange a source HIT found in signaling packets (I1 and I2) is present in the list of allowed HITs
• After base exchange completes a database of previously seen locators (IP addresses) does not contain a record with a source IP address of a registrar
Authentication
•After SAVAH registration is completed, both parties (the host and the router) posses a shared secrete key
•Host appends special IP option to each outgoing packet containing value (token) from HMAC (key | Packet) operation
•Router compares the values from packet and locally calculated secure hash using shared secret key
IPv4 option format
IPv6 option format
Tunneling mode for SAVAH
•Instead of adding a signature to the packet we can encapsulate the traffic through SAVAH router towards the Internet (a combination of a tunnel and a BEET IPSec modes)
•The packets are verified by IPSec AH, plus security is guaranteed (if needed for performance reasons, NULL encryption can be used)
•This approach also benefits the mobility – useful in wireless networks
•Drawback – slower then lightweight signatures
SAVAH deployment (placement in the Internet)
Original source “Source Address Validation: Architecture and Protocol Design” Open wireless network scenario
Performance evaluation (configuration)
•Hardware used in the experimental setup:
– Wireless access point (Avila board or Fonera FON2100 router) used as first­hop router and a DHCP server in our network. We have used Avila board in the experiments:
• Customized OpenWRT Linux distribution
• CPU: 533 MHz (Avila board)
• RAM: 128 Mb (Avila board)
– Laptop used as SAVAH client:
• Ubuntu Linux distribution
• CPU: 2.4 GHz Dual Core
• RAM: 3 Gb
•Network was configured to support both IPv4 and IPv6 stacks
Performance evaluation (results)
SAVAH packet processing time on router (Avila board)
SAVAH router (Avila board)
SAVAH client (laptop)
SAVAH packet processing time on client (laptop)
9351
1324
Average processing time (microseconds)
Performance evaluation (results)
•SAVAH does not stress the device in terms of memory usage
•Around 2 MB of additional memory is occupied when running HIP in SAVAH mode
Memory usage on the SAVAH router
Security threat analysis
•Redirect attacks
•DNS reflection attack
•Denial of Service
•Smurf/Fraggle Attack •SYN Attack
•Redirect attacks, smurt/fraggle attacks and DNS reflection attacks are impossible to do. Only validated packets can flow out the network
•Denial of service attacks are not possible as well, however DDoS are. •SYN floods will loose the meaning unless triggered through zombies
Future work
•Finish the implementation and deployment – Integrating the registration procedure (not the same as SAVAH service registration)
– Tunneling mode still requires some work
•Continue working on the Internet draft related to SAVAH
•Can we build on path traffic accounting with SAVAH, e.g. when both sender's and receiver's networks are SAVAH capable?
SUMMARY
•Solving the address spoofing as close to the network communication originator as possible is a good strategy. Leave a prefix filtering to AS systems who are confident about the source
•Cryptography solutions are strong but poor in performance
•SAVAH protects against some well­known attacks, but requires some modifications to provide better protection for both initiator's and responder's network
Questions?
Thank you!
Related documents
Sample Quiz
Sample Quiz
Security “Tidbits” - The Stanford University InfoLab
Security “Tidbits” - The Stanford University InfoLab
Peak Support Services Ltd
Peak Support Services Ltd
glossary - Homework Market
glossary - Homework Market
sw-p-08 router remote control
sw-p-08 router remote control
How to setup the router for Static IP internet connection mode
How to setup the router for Static IP internet connection mode
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
WT8266-S1 FAQ Forum: bbs.wireless-tag.com
Mid-term Exam
Mid-term Exam
William Stallings, Cryptography and Network Security 5/e
William Stallings, Cryptography and Network Security 5/e
connectivity_hard_ware_1
connectivity_hard_ware_1
WiHawk
WiHawk
Check Your Understanding Chapter 7 Part 1 For a quick review to
Check Your Understanding Chapter 7 Part 1 For a quick review to
Create a standard ACL that will deny traffic from 192
Create a standard ACL that will deny traffic from 192