Download ppt

Communication Security
in Next Generation Networks
January 29, 2004
Takashi Egawa, Yoshiaki Kiriha, Akira Arutaki
NEC Corporation
IP networks as an infrastructure
• In 2002 NTT stopped investment to renew Plain Old
Telephone Service (POTS).
– The shift towards pure IP network started.
We cannot rely on telephone networks any more.
IP networks must become grown-ups.
Today’s VoIP networks use POTS service to improve their reliability and to
realize emergency calls.
Such things will become impossible in the future.
• However, IP network has many problems to become an
infrastructure.
– Traceability and manageability that telephone networks have do
not exist in current IP networks.
– This comes from IP’s design principle.
January 29, 2004
NEC Proprietary
2
IP Design Philosophy: Main Goals
• Effective multiplexed utilization of existing networks
– Packet switching, not circuit switching
• Continued communication despite network failures
– Routers don’t store state about ongoing transfers
– End-hosts provide key communication services
• Support for multiple types of communication service
– Multiple transport protocols (e.g., TCP and UDP)
• Accommodation of variety of different networks
– Simple, best-effort packet delivery service
– Packets may be lost, corrupted, or delivered out of order
• Distributed management of network resources
– Multiple institutions managing the network
– Intradomain and interdomain routing protocols
Grosshauser (2002)
January 29, 2004
NEC Proprietary
3
Characteristics of the Internet
• The Internet is
–
–
–
–
Decentralized (loose confederation of peers)
Self-configuring (no global registry of topology)
Stateless (limited information in the routers)
Connectionless (no fixed connection between hosts)
• These attributes contribute
– To the success of the Internet
– To the rapid growth of the Internet
– …and the difficulty of controlling the Internet :<
Grosshauser (2002)
January 29, 2004
NEC Proprietary
4
Operator Philosophy: Tension with IP
• Accountability of network resources
– But, routers don't maintain state about transfer
– But, measurement isn’t part of the infrastructure
• Reliability/predictability of services
– But, IP doesn’t provide performance guarantees
– But, equipment is not very reliable (no ‘five-9s’)
Downtime: IP networks: 471min/year, POTS: <5min/year
• Fine-grained control over the network
– But, routers don’t do fine-grain resource allocation
– But, network self-configures after failures
• End-to-end control over communication
– But, end hosts adapt to congestion
– But, traffic may traverse multiple domains
Grosshauser (2002)
January 29, 2004
NEC Proprietary
5
In short, current IP networks are…
Distributed, autonomous network is a labyrinth.
Failure!
ping
Security
Breach!
Autonomous = no person knows
Problems! Traditional tools and MIBs are
not enough to distinguish the
reason why QoS degrade or
where a security breach happens.
January 29, 2004
NEC Proprietary
6
CIA: Three basic components of security
Confidentiality
Data must not be shown
to unauthorized persons
or programs.
Integrity
Availability
Data must not be modified
by unauthorized persons
or programs.
Authorized user must be
able to use data as he wants.
• Currently Confidentiality and Integrity is a end-user’s role
(e.g., IPsec)
• Network concentrates on Availability (QoS, reliability)
• This will not change soon, but in the future?
January 29, 2004
NEC Proprietary
7
Then, what should we do for Availability?
1. Now: So what? I must make $$$.
– Many ISPs don’t (or can’t) spend extra money for
technologies to improve availability.
2. Near Future: OK, we must develop tools to
understand what’s going on in IP networks.
– Various traffic monitoring tools have been developed.
3. Future: OK, we have to undermine and change
the nature of IP. But to change IP itself is
impossible, so…
– Thinning IP layer: MPLS, GoE, OPES, TCP overlay,
etc.
– Scale-free networks
January 29, 2004
NEC Proprietary
8
Now: So what? I must make $$$.
Necessary, and
makes money:
VoIP(?), Online games
New Services,
New technologies
Necessary, but do
not make money
Traffic engineering, QoS
• To which are security/availability services categorized?
– QoS, Traffic engineering  2nd category
– Virus scanning, SPAM filtering?
– Confidentiality, Integrity?
• Which/how much customer categorizes a service to the 1st?
January 29, 2004
NEC Proprietary
9
Situation around QoS
Network operators
•QoS guarantee service is too expensive and too complicated
•All related equipments must be QoS enabled. They are expensive.
•Takes much time to start the service (equipment, education, know-how)
•Slight QoS improvement do not bring money
Residential users
DiffServ
Router
DiffServ
Router
DiffServ
Router
• Live video, online games
may require QoS guarantee
• But, won’t pay large
amount
Broadband
Business customers
Business
users
• Not all traffic require QoS
Access users
guarantee
• Anyway, most users and most traffics are satisfied
 System for special users is wanted; but diffserv is for everybody
January 29, 2004
NEC Proprietary
10
As a result, ‘abundant resources. OK!’
ISP’s tactics to achieve availability is
• Prediction-based network design; this is the key.
– Predict traffic demand, and makes a plan for the investment.
• Basic tools (RMON, SNMP) is used to confirm that the
prediction was correct.
– Just confirmation. Simple tools is enough.
• If a trouble occurs (e.,g., a failure), its cause is solved
with these basic tools.
– Special tools needs $$$ and additional education. Difficult.
If this is the truth, what kind of properties a tool must have?
• Small start is indispensable.
– Tools that protect special small users may be accepted.
January 29, 2004
NEC Proprietary
11
Near future: Measurement method
Hot topics in IETF and various consortiums
• IETF started various WGs to standardize
measurement methods and data formats
– IPPM, IPFIX, PSAMP, …
• Consortiums
– CAIDA
• Research projects
– NIMI, RIPE/TTM, …
But since other speakers focus on this them today,
I’ll skip this theme and…
January 29, 2004
NEC Proprietary
12
Future: Ok, we have to change IP.
However, frontal breakthrough is impossible.
•
Why is it so difficult?
–
–
•
IP is the key of interconnectivity.
Open standards are difficult to change.
A sad example already exists: IPv6.
–
Its concept is exactly the same with IPv4, but still, it has not
come yet.
• No authentication, no authorization, no new generation builtin diagnosis. And security is impossible to attach afterwards.
• The discussion started in 1991. 13 years ago!
Then, how can we change it?
January 29, 2004
NEC Proprietary
13
Strategy: Thinning IP layer
We should remove functions from IP layers,
And make it a mere address system.
• From lower layer
– MPLS, GMPLS
– Global Open Ethernet (GOE); NEC’s proposal
These are trials to take routing and traffic engineering
functions from IP layer.
• From upper layer
– IETF Open Pluggable Edge Service (OPES)
– TCP Overlay
These are trials to take routing functions from IP layer.
January 29, 2004
NEC Proprietary
14
Pros and cons of lower layer approach
(a part of the whole) route uses special L2/L1.
• Every traffic is affected.
– Precise traffic engineering/QoS control becomes possible.
• Bulk data transfer & no App. Information
 The granularity of the control is coarse.
• (meaningful portion of) L2 must be replaced with the new
method (MPLS approach), or the must be interoperable
with currently dominant L2 (Ethernet) (GoE approach).
AP
TCP
IP
Ethernet
IP
Ethernet
IP
MPLS
IP
MPLS
AP
TCP
IP
L2/L1
Terminal
Router
Router
Router
Terminal
January 29, 2004
Special section
NEC Proprietary
15
Overview of Global Optical Ethernet (GOE)
architecture
* Simple Ethernet VPN /
(1) User’s VLAN
(1) User’s VLAN (2) GOE
VPLS by providing
tagged frame tagged frame
tagged frame
EoMPLS functions based SW
SW
on extended EESVLAN
GOE edge GOE core GOE edge
* Forwarding tag:
Push GOE tag
Pop GOE tag
- Node address tag
(1) IEEE 802.1D VLAN-tagged frame
(routing tag) instead of
DA SA User-VLAN PDU
VLAN tag
- Unidirectional path as (2) GOE-tagged frame format
MPLS path
DA SA NW-Stacked VLAN User-VLAN PDU
* Decoupling forwarding and
Variable length
customer info tag
Forwarding Customer Protection OAM&P Vendor
- Simple management
Tag (M) ID Tag (M) Tag (O) Tag (O) Ext. (O)
* Flexible/Extensible header
M: Mandatory tag, O: Optional tag
January 29, 2004
NEC Proprietary
16
GOE features
• “Node address” based forwarding
• Hierarchical node address routing
• Backward compatibility with legacy Ethernet
devices
• Fast failure recovery
• In-service network reconfiguration
• Traffic engineering
Atsushi Iwata, et.al., ‘Global Open Ethernet Architecture for Cost-effective
Scalable VPN Solution’, vol. E87-B(1), pp. 142-151, IEICE trans. on
Communication, January 2004.
January 29, 2004
NEC Proprietary
17
“Node address” based forwarding
(via Per-destination based STP)
• Allocate node address and configure the lowest
priority for the node to become a root node of ST
• ST destined to each node is created via IEEE
802.1q encapsulated 802.1w
– Per-destination Multiple Rapid spanning tree
(PD-MRST)
– Reverse spanning tree is set as a forwarding
table (shortest widest path to dest)
ST#2
GOE nodes
(Root node of ST)
GOE nodes
Current Ethernet nodes
January 29, 2004
NEC Proprietary
18
ST#1
Root node #1
(Dest #1)
Root node #2
(Dest #2)
Hierarchical node address routing (Massive
scalable simple routing)
•
•
•
•
Hierarchy
Allocate hierarchical node addr.
Domain #a
– [Lev3rd ID][Lev2nd ][Lev 1st ID]
Spanning tree for each domain in each
Domain #b Domain #c
level
Level 3
– Hierarchical spanning tree
Number of ST
– X domains in 3rd level
Domain #a
Domain #d
– Y domains in 2nd level
Domain #e
Domain #h
– Z domains in 1st level
Level 2 Domain #i
Domain #l
– Total #: X+Y+Z
Forwarding table
– Only top stack of forwarding tags
Network
Domain #d
TopologyDomain #a
– Excludes dest MAC address based
forwarding
Domain #e
Domain #h
– Can reduce # of forwarding entriesLevel 1
Domain #i
January 29, 2004
NEC Proprietary
19
Domain #l
Backward compatibility with legacy
Ethernet devices
• Use existing multiple spanning tree protocols (MSTP:
IEEE 802.1q encapsulated 802.1w, 802.1s)
• Interworking between Existing VLAN and GOE
– Existing VLAN: bi-directional trees
– GOE forwarding tree: uni-directional trees
January 29, 2004
NEC Proprietary
20
Fast failure recovery
• Additional keep alive proc. for quick node failure detection
• Root node failure means the destination node failure, which
does not require any root node election
– Trigger dual-homing recovery (root node protection) through
another root node (destination node)
MRSTP (802.1w/s)
PD- MRSTP (802.1q
based 802.1w/s)
Network management server
Not required
Not required
Restoration time (Link failure)
50 [ms] - N [sec]
50[ms] - N [sec]
Restoration time (Node failure)
N [sec]
50[ms] - N [sec]
Restoration time (Root node failure)
N [sec]
N/A
January 29, 2004
21
NEC Proprietary
In-service network reconfiguration
Root node #1
- Alternate
ID:10001
Do not use active ST
and trigger new ST
Root node #1
- Dest ID:0001
Switch over
to new tree
GOE nodes
(Root node of ST)
GOE nodes
In-service reconfiguration
time
January 29, 2004
Current Ethernet nodes
Additional GOE nodes
MRSTP (802.1w/s)
PD-MRSTP (802.1q based
802.1w/s)
0 [sec] - N [sec]
0 [sec] (may have a packetreordering issue)
NEC Proprietary
22
Pros and cons of upper layer approach
Scatter various servers in the network
• Application information is available.
– Application-aware control such as web cashing becomes possible.
– Selected user/application becomes the target, so small start is
possible.
• Might be able to avoid scalability issue
• However, since it is built on IP, precise control is difficult.
• There are so many servers in the network these days…
Standard
I/F
January 29, 2004
Ap-specific
I/F
Standard
I/F
Web caching, Contents Delivery Network (CDN), TCP
performance enhancement box, firewalls, …
23
NEC Proprietary
IETF OPES; running after the reality
There are so many servers in today’s Internet.
NAT, NAT with Protocol Translator, SOCKS gateway, IP Tunnel Endpoints,
Packet classifiers, TCP performance enhancing proxies, Load balancers that
divert/munge packets, IP Firewalls, Application Firewalls, …
E2E argument has already broken.
• IETF made OPES WG in order to control the situation
becomes out of control.
– Standardize a general framework for such middleboxes.
• Security, procedures to call other OPES processors,
procedure to chain OPES processors, …
– Severe resistance occurred because it breaks e2e argument. The
proposal to establish OPES was rejected 3 times.
– IAB issued RFC3238 to describe the condition that OPES WG
must follow.
January 29, 2004
NEC Proprietary
24
RFC3238: The condition to establish OPES
IAB ordered OPES WG to satisfy these conditions
• The right to install OPES entity
‘middlebox often modifies its contents. Who permitted that?’
 It’s OK if one of the peer agrees. Virus checking: end users,
CDN: server, probably.
• Health check
How can we know the processing is done correctly?
 a mechanism that the peer that installed the middlebox can
detect and do health check of OPES should be installed.
 if it is possible to communicate without middleboxes,
middleboxes must not interfere ‘raw’ communication.
• Addressing (URI)
 OPES must not resolve URI.
(if there is a entity that only OPES can resolve the URI, what is ‘URI’? This is a
profound question, so IAB prohibits temporary solutions)
• Privacy: end user must be able to set privacy policy.
January 29, 2004
NEC Proprietary
25
OPES activities
It standardizes various aspects of distributed service
that uses ‘OPES processor’.
• A protocol to execute service on remote OPES processors with
authentication
• A protocol to detect the existence of OPES processors
• An architecture that enables these requirements (esp. for
HTTP)
• Policy
distribution
for service
OPES
processor protocol
Callout
server A execution
OPES service
application
OPES service
application A
data dispatcher
HTTP/
TCP/
IP
data
provider
January 29, 2004
OCP/
TCP/IP(?)
OCP/
TCP/IP(?)
data
consumer
NEC Proprietary
26
Callout server X
…
…
OPES service
application X
OCP/
TCP/IP(?)
TCP overlay
The idea: if we split a TCP connection into multipe
connections, we can
Throughput max(Mbps)
• increase the throughput,
• monitor and log the usage (like Packeteer’s packet
shaper), and
• control the throughput of each TCP connections
1 20
1 00
Tokyo-Osaka
80
60
40
20
0
5
10
20
30
40
80 160 320 640
RTT (msec)
January 29, 2004
NEC Proprietary
27
Rate control with TCP overlay box
• The throughput of each TCP connections can be
controlled by regulating the congestion window
size of each TCP independent of the ‘true’
network congestion
Total bandwidth
Overlay node
Overlay node
Connections /w overlay
Cross traffic
generator router
router
Bottleneck
link
Cross traffic
generator
Goodput (Mbps)
Total goodput (incl. Cross traffic)
Overlay’ed connection’s goodput
Target
goodput
Simulation time (sec)
January 29, 2004
NEC Proprietary
28
Confidentiality and Integrity: end-user’s job?
They are end-user’s job in the past, because
Information processing did not exist in networks. But
• Already many many servers in networks
– Firewall, mail, web caches, transactions for EC, …
• Information processing will increase more because
– End-users cannot manage themselves.
(firewall  terminal :<)
Virus checking, SPAM filtering  network
And the link between end-users and edge routers are becoming
enough fast to share the burden of data processing.
So we have to implement them in the future.
By integrating terminals, network will become a
enormously complicated system.
Can we manage them?
January 29, 2004
NEC Proprietary
29
Shift of network design paradigm
Preparatory
Random, equal access
Telephone network
LAN, computer networks
of early days
Democracy
Socialism or dictatorship
January 29, 2004
NEC Proprietary
30
RAMDOM Network ;artificial network
(every node are equal; legacy infrastructure）
Traditional communication networks,
Power grid, railways, highways
January 29, 2004
NEC Proprietary
31
Scale-free networks (growing network
common in natural world)
Internet, Web, Personal relationships,
Airline hub, reactions among protains
January 29, 2004
NEC Proprietary
32
We are looking the rise of scale-free
network
Self-organizing and
autonomous
Random, equal access
• In the past, this shift was achieved by excellent SIers or
administrators. But it is becoming impossible because the
system is too complicated.
– To make a list of new products are too tough business
– To distinguish the cause of troubles are too touch business
January 29, 2004
NEC Proprietary
33