Transcript 1 Next-Generation Secure Internet: Security Overview and Context

Next-Generation Secure Internet:
Security Overview and Context
Adrian Perrig
in collaboration with Steven Bellovin,
David Clark, Dawn Song
1
Everybody Understands Need for NGSI
 Webby award
• Annual award for achievement in Web creation
• Recipients get five words only for their acceptance
speech
Vint Cerf: “We all invented the Internet”
•
 Al Gore received Webby award this year
• Responsible for spearheading critical legislation and
providing much-needed political support
• Speech: “Please don’t recount this vote”
• “It is time to reinvent the Internet for all of us to make
it more robust and much more accessible and use it to
reinvigorate our democracy”
2
Background
 Internet designed for trustworthy environments
• Goal was to provide efficiency, scalability, robustness
•
assuming a benign environment
Fact: Internet protocols vulnerable to attacks, e.g.,
BGP, DNS, TCP/IP, …
Hosts are even worse
•
 Today: businesses, government, society rely on
Internet
 As of January 2005: 317,646,084 hosts (isc.org)
• Not all of them are benign!
3
Attacker/Trust Model
 Any network node may be compromised
• Endhosts
– Including network management and operations
machines
• Routers and other network elements
• Different impact when a network infrastructure
element is compromised
 Compromised nodes may collude
4
NGSI Security Requirements
 A desired outcome of this workshop is to

establish list of desired NGSI security properties
Main security requirement is availability
• Need availability of forwarding service, configuration
and management services, etc., even in face of DDoS
attacks
• Fast recovery/convergence after perturbations
 Other security properties can usually be
implemented end-to-end
• Confidentiality (data, topology, identity, …)
• Integrity (data, routing info, forwarding path, …)
5
Networking Functional Planes
 Control plane
• Function: route set up and signaling
• Requirement: accuracy, consistency,
convergence
 Data plane
• Function: packet forwarding
• Requirement: availability, resilience to control
plane vulnerabilities
 Management plane
• Function: configuration and monitoring
• Requirement: availability
6
Security Approaches
 Prevention
• Harden protocol itself
• Eliminate attacks at design time
 Detection and recovery
• Monitor behavior of participants
• Upon detection of misbehavior: eliminate
malicious nodes, restore functionality
 Resilience
• Graceful performance degradation in the
presence of compromised nodes and hosts
 Deterrence
• Provide legal disincentives
7
Sample Control Plane Design Points
 [prevention] Cryptographic primitives to
prevent routing information falsification
 [prevention] Leveraging trusted computing
technology
• Example: help implement secure routing
 [detection] Lightweight intrusion detection
 [resilience] Various redundancy mechanisms
for survivability
 [deterrence] Trace intrusions
8
Sample Data Plane Design Points
 [prevention] Infrastructure-enforced flow
regulation
 [prevention] Network firewalls / network filter
infrastructure
 [detection] Data plane intrusion detection
 [resilience] Secure source-controlled routing
 [deterrence] Persistent network identity to
assist forensic inquiries
 [deterrence] Trace and/or identify data origin
9
Sample Management Plane Design Points
 [prevention] Isolated configuration channels
provide resistance to flooding and packet
injection attacks
 [detection] Detect password-guessing
attacks on network devices (hopefully we
won’t base authentication on passwords
only!)
 [resilience] Tolerate misconfigurations
10
Design Considerations
 What design considerations should we
recommend to community?
 Sample guidelines
• Minimal trust?
• Small router state?
• Minimal network layer functionality?
• Favoring prevention over detection/recovery
•
over resilience over deterrence?
Facilities for deterrence, while protecting
privacy?
11
Conclusion
 For next-generation secure Internet, build
security into every component at every
level
• Redesign protocols with security as a central
•
•
design requirement
Utilize comprehensive security approach,
leveraging prevention, detection/recovery,
resilience, and deterrence
Consider social aspects: ease-of-use, privacy
12
Workshop Report Format
 Workshop goals
• Build community consensus for need of a
next-generation secure Internet (NGSI)
Establish requirements for NGSI
Explore problem space
Identify promising research directions
Recommendations to NSF and community
•
•
•
•
 Structure of each report section on topic X
• Properties NGSI should provide for X
• Challenges and design considerations
• Potential approaches and methods
13