Download Supernetworking: Virtual Address Resolution at the Edge Christoph Schuba

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
Document related concepts
no text concepts found
Transcript 
Supernetworking: Virtual
Address Resolution at the Edge
Christoph Schuba
Caronni, Chang, Kumar, Landau, Schuba, Scott
Security Research Group
Network&Security Center
Sun Microsystems Laboratories
901 San Antonio Road
USA − Palo Alto, CA 94303
Sun Microsystems Laboratories
Outline
'
Motivate and present our model of secure
virtual networking
'
Explain requirements for addressing in
global/virtual network, focus on edge
'
Describe the prototype status quo and future
work
'
Draw conclusions
Sun Microsystems Laboratories
Security
Mgmt
g
tin
pu
St
or
'
Secure Communication:
Supernets
'
Secure Storage
'
Secure Computing
'
Security Management
om
C
ag
e
Public Utility Computing
Model
Communication
Sun Microsystems Laboratories
Motivation for
Public Utility Computing (PUC)
'
Dependence on computer networking
'
Requirement for ubiquitous access to data and
services, e.g., e−commerce, sales staff, remote
employees, etc.
'
Desire for network security
vs.
Desire for open access
Sun Microsystems Laboratories
Motivation for PUC (cont.)
'
IT expertise ≠ core business expertise
'
Outsourcing of information infrastructure
needs in a secure fashion
'
Benefits through economies of scale:
'
cost effectiveness,
'
no provider lock−in,
'
leveraging today’s technology,
'
access to new technologies
Sun Microsystems Laboratories
Motivation for PUC (cont.)
'
'
Insufficient attempts at security problem:
'
Firewall technology
'
Virtual private networks
'
Reverse proxies, e.g., iPlanet (sun.net)
Drawbacks and problems:
'
Inefficiencies in operation
'
Lack of flexibility for network creation/dissolution
'
Difficulty in maintainance and administration
'
High cost
Sun Microsystems Laboratories
Articles of Faith
'
Large number of network attached devices
'
Security requirements
'
Dynamic coalition capability
'
Lifetime independence
'
Reuse of existing applications
'
Outsourcing of communication infrastructure
Sun Microsystems Laboratories
Today: Building Communities
around Networks
Sun Microsystems Laboratories
Goal: Building Networks around
Communities
Alice
Alice
Bob
bigdisk.com
Bob
bigdisk.com
Sun Microsystems Laboratories
Goal: Building Networks around
Communities
Alice
Alice
Bob
bigdisk.com
Bob
bigdisk.com
Sun Microsystems Laboratories
Addressing at the Edge
'
Legacy:
Lots of applications that use TCP/IP
'
Desire:
Independence of underlying transport (hw)
'
Realization:
IP is global glue
Sun Microsystems Laboratories
IP: Global Glue
App
App
App
TCP/UDP TCP/UDP TCP/UDP
IP
ETH
2TCWS
Sun Microsystems Laboratories
IP: Global Glue (cont.)
App
App
App
TCP/UDP TCP/UDP TCP/UDP
IP
App
TCP/UDP
IP
IP
SNSL
SNSL
IP
ETH
Sun Microsystems Laboratories
2TCWS
Addressing in Supernets
Alice
Alice
128.10.17.67
Bob
bigdisk.com
Bob
192.146.122.79
bigdisk.com
130.140.12.2
Sun Microsystems Laboratories
Addressing in Supernets (cont.)
Alice
10.0.3.1
Alice
128.10.17.67
Bob
10.0.3.2
bigdisk.com
10.0.3.100
Bob
192.146.122.79
bigdisk.com
130.140.12.2
Sun Microsystems Laboratories
Five Architectural Components
'
Authentication and Admission Control
'
Communication Security Services
'
Key Management
'
Virtual Address Resolution (VARP)
'
OS−level Enforcement of Node
Compartmentalization
Sun Microsystems Laboratories
Authentication and Admission
Control: sasd, snlogin
'
Multiple pluggable authentication
mechanisms
'
Policy encoding separate from enforcement
'
Virtual IP address (vaddr) request
vs.
assignment in DHCP style
'
Node = equivalent to a host in supernets
(identified by a supernet id and IP address)
Sun Microsystems Laboratories
Communication Security
Services: SNSL
'
Network security services for
'
Confidentiality
'
Integrity
'
Authenticity
'
IPSec encapsulation in tunnel mode
'
Avoid IPSec NAT problem
Sun Microsystems Laboratories
Key Management:
kms, kmc, kmd
'
Groupkey management
'
All group members share the same key:
Channel
'
Policy−based key revisions on events
'
'
join, leave, time interval
Supernet channels are small enterprise
networks that are secured against outside.
Sun Microsystems Laboratories
Virtual Address Resolution
Protocol (VARP)
'
'
Assume: Endpoint addressability:
'
Currently IPv4
'
Future: IPv6, DNS names, (RA,IRT), etc.
Mapping between
'
Virtual IP addresses (vaddrs)
and
'
IP address of computer hosting nodes
Sun Microsystems Laboratories
Virtual Address Resolution
Protocol (cont.)
'
Example:
0x00000123:10.0.3.2
−
192.146.122.79
'
Localized scope (per supernet)
'
Endpoint requirements:
'
VARP client functionality
'
Dynamic configuration of VARP service
Sun Microsystems Laboratories
OS−level Enforcement of Node
Compartmentalization
'
OS enforcement of process encapsulation
'
Inheritance of supernet membership on fork()
Caching of address mappings and keying
material
'
Sun Microsystems Laboratories
Status Quo
'
Working prototype of communication
component (on Sparc, and Redhat Linux,
IPSec, C, Java).
Limited availability as RedHat rpm
'
Several design documents, white papers,
presentations, related patents
Sun Microsystems Laboratories
In Progress + Future Work
'
Prototyping of storage component (cnfs)
'
Storage key management under development
'
Secure Computing?
'
Management Component?
Sun Microsystems Laboratories
Summary
'
Create autonomous, secure networks around
dynamically changing communities
'
Requirements on infrastructure
'
'
Endpoint addressability
'
PUC enabling services: sas, varp, km
Requirements on endpoints:
'
Address of admission control: DNS, config
'
Client sw for VARP, group key mgmt
'
SNSL layer
Sun Microsystems Laboratories
[email protected]
Questions?
Sun Microsystems Laboratories
Related documents