Jun Li presentation at USC/ISI

Download Report

Transcript Jun Li presentation at USC/ISI 

SAVE: Source Address Validity
Enforcement Protocol
Jun Li, Jelena Mirković, Mengqiu Wang,
Peter Reiher and Lixia Zhang
UCLA Computer Science Dept
10/04/2001
{lijun, sunshine, wangmq, reiher, lixia}@cs.ucla.edu
Outline
 Motivation
 The Idea
 Handling Routing Changes
 Security and Deployment
 Simulation and Implementation
 Related Work
 Ongoing Work
 Conclusions
Motivation
 Provide routers with information on the valid
incoming interface for a given source address
 Filter out packets with invalid source
addresses
 Would be helpful for
 Many security issues
 Building multicast trees
 Network problem debugging
 Services relying on accurate source addresses . . .
The Idea
 Build an incoming table at a router that
specifies valid incoming interfaces for
address spaces
 Cannot be derived from forwarding table due to
routing asymmetry
 Cannot be designed by reversing routing protocol
• Should be designed to inform routers about the path
that has ALREADY been chosen
 Cannot augment routing updates to carry SAVE
info
 So, how?
Desired Properties of SAVE
 Routing protocol independence
 Immediate response to routing changes
 Security
 Incremental deployment
 Low overhead
Architecture
SAVE
updates
incoming table
forwarding table
updating
incoming
tree
generating SAVE
updates
SAVE
updates
final
stop?
yes
end
no
forwarding SAVE
updates
Example
X A
A
1
B
2
3
4
X AB
5
6
XX AAA
X
X AAA
X
X
X AAA
X
X
X AAA
X
X
XXX AAA
Y
X
4
But the green
SAVE
7
Y
3
8
incoming table
update
J
3
The says
greenmessages
router now
AB
5
A
1
knowsfrom
thatAmessages
come onfrom
X
B
2
A andinterface
B should5,arrive
not on
Forwarding table
interface
Incoming table
interface 56
Example
AB
A
10
Y AB
1
2
B
X
4
Y
3
J
3
A
1
B
2
Forwarding table
3
9
Y AB
9
11
13
14
4
12
AB
X
Y
13
Example
AB
9
P
A
Y AB
1
B
10
2
3
Y ABP
9
11
13
14
4
12
ABP 13
X
Y
Handling Routing Changes
1
C
2 D3
A
C
2
1
C
D
3
A
B
A
B
Handling Routing Changes
1
C
2 D3
A
C
2
1
C
D
3
A
B
A
B
Handling Routing Changes
1
C
D
A
2
1
C
3
B
D
C
3
A
A
B
Security of SAVE itself
 Essentially the same problem as securing
routing protocol
 Requirements
SAVE updates must only be exchanged between
routers, excluding hosts
Trust relationship between routers must be
established beforehand
SAVE updates must be signed or encrypted
Processing of SAVE updates must be lightweight
Deployment
 Can only be incremental
 Have to deal with legacy routers
 Incoming table will not cover the whole Internet
 Deployment at different location has different
impact
 Some real issues
 Mobile IP
 Tunnelling
 Multipath routing
......
Simulation
 All routers run SAVE protocol + routing
protocols
 Transit-stub topology generated using
GT-ITM
 BGP as inter-domain routing protocol
 RIP as intra-domain routing protocol
 Some asymmetric routes
Simulation Goals
 Effectiveness - are all spoofing packets
successfully detected and dropped?
 Correctness - are some valid packets dropped
erroneously?
 Transient behavior
 Cost
Effectiveness and Correctness
 Each packet source generates both valid and
spoofing packets
 Spoofing source addresses randomly chosen from
a pool of all source addresses in the network
 Every router is under an average load condition
 Results:
 In all scenarios all spoofing packets were detected and
dropped
 Without routing changes no valid packets were
dropped
Transient Behavior
 Route changes introduce a transient period for
SAVE to adjust every incoming table along the new
route
 During this period valid packets can be dropped on
new route
 Assuming that SAVE packets have same
propagation delay as data packets, inconsistency
occurs if:
 data packet is sent out on new route BEFORE new
SAVE update validating this route
 data packet is filtered at a router on the path
BEFORE new SAVE update is processed
Cost of SAVE
 Compared cost of SAVE with costs of
routing protocols (BGP and RIP)
 Bandwidth cost:
 compared bandwidth consumed by SAVE
updates with that consumed by routing updates
 Storage cost:
 compared the size of incoming table with the
size of forwarding table
Storage Cost
(single domain)
storage cost (kilobytes)
80000
70000
60000
50000
40000
30000
20000
10000
0
10
20
30
40
50
60
70
80
90
# of routers
forwarding table built by RIP
incoming table built by SAVE
optimized incoming table built by SAVE
Storage Cost
(multiple domains)
storage cost (kilobytes)
80000
70000
60000
50000
40000
30000
20000
10000
0
12
24
32
40
52
64
70
80
90
# of routers
forwarding table built by BGP
incoming table built by SAVE
optimized incoming table built by SAVE
Implementation in Linux
ROUTING
PROTOCOL
SAVE
SAVEd
ZEBRAd
BGPd OSPFd RIPd
FTABLE ITABLE
ITREE
NETLINK INTERFACE
FORWARDING
TABLE
KERNEL
FIREWALL
IP NEIGHBOR
MAP
INTMAP
Related Work
 Cryptographic Methods
 High computation overhead of cryptographic
operations
 Forwarding-table-based filtering
 Routing asymmetry leads to erroneous packet
dropping
Related Work
 Ingress and egress filtering
 Very ineffective if partially deployed
 Packet tracing
 Complex and expensive
 Ineffective when the volume of attack
traffic is small or the attack is distributed
 Reactive, not preventive
On-going Work
 Cooperation with Purdue University
on partial deployment investigation
 Implementation
 IXP router implementation
 Cisco router implementation
 Testing
 FTN testbed
 Utah testbed
 IETF draft
Conclusions
 Filtering improperly addressed packets is
worthwhile
 Asymmetric network routing demands an
incoming table
 SAVE builds incoming tables correctly with
low bandwidth and storage overhead
 SAVE has demonstrated its correctness
and effectiveness through simulation
 Implementation is under way