Transcript Research on IP Anycast Secure Group Management

Research on IP Anycast Secure
Group Management
Wang Yue [email protected]
Network & Distribution Lab, Peking University
Network Research Workshop 2003 16th APAN Meetings
List of Topics
Review of IP Anycast
Anycast Security Model
Anycast Group Characteristics
Secure Anycast Listener Discovery (S-ALD)
2
Review of IP Anycast
An IP service defined in RFC1546 for IPv4,
and in RFC2373 for IPv6.
Like Multicast, an IP anycast address is
assigned to a set of network interfaces.
But, a packet for an anycast address is
forwarded to the “topologically nearest”
interface with this address.
3
Review of IP Anycast (continue)
Anycast Group A is identified by its anycast address;
Each member can also has an unicast address to identify itself.
4
Review of IP Anycast (continue)
Address modification for stateful service
Client
dst = a1
---------------------
src = u1
--------------------dst = u1
---------------------
… …
Anycast Server
( anycast address : a1
unicast address : u1 )
5
List of Topics
Review of IP Anycast
Anycast Security Model
Anycast Group Characteristics
Secure Anycast Listener Discovery (S-ALD)
6
Anycast Security Requirements
Everyone can announce to the routing system or
clients that it was the member of a certain group.
Therefore, Anycast is vulnerable to attacks such as
Masquerading, DOS, etc.
“Security Requirements of IPv6 Anycast ” (internet draft)



Unauthenticated anycast server announcements
Source address modification by an anycast server
Secure communication between anycast clients and
servers
7
Secure Channel for Anycast
We need secure channels between anycast
members and the routing system as well as clients.
Certificate-based secure protocols are good for
the purpose.
( red lines denote secure channels )
8
Authorization Scheme
IPv6 Anycast address format
n bits
128-n bits
Network prefix
Group identifier
Network prefix defines a topological scope where
all members reside in


Global IP Anycast (GIA): prefix is null prefix
Regional IP Anycast (RIA): prefix is not null


AS-inner RIA : prefix insides an AS
AS-outer RIA : prefix does not inside any AS
9
Authorization Scheme (continue)
Three separate authorizations needed

Assigning an anycast address, e.g. by
IANA

Entitling group membership to an interface,
e.g. by the group owner

Admission control for an group member
residing in a certain network region or AS,
e.g. by the AS
10
Authorization Scheme (continue)
Authorization Hierarchy for GIA and AS-outer
RIA address
IANA
GIA address
AS-outer RIA address
Address
owner
AS
Admission
membership
A member
( each color denotes a certificate chain )
11
Authorization Scheme (continue)
Authorization Hierarchy for AS-inner RIA address
IANA
address
delegation
AS
address
delegation
AS-inner
Network
AS-inner RIA
address
Address
owner
Admission
( considering an anycast address prefix
covers a network inside the AS )
membership
A member
12
Configuration
Group Discoverers need configure IANA or local
addresses assigning authorities’ public key, and the
public key for admission control certificate.
Clients need only configure IANA’s public key.
Truncation of certificate chains can be used to
reduce cost, after the first try.
13
List of Topics
Review of IP Anycast
Anycast Security Model
Anycast Group Characteristics
Secure Anycast Listener Discovery (S-ALD)
14
Host-based Anycast using MLD
This internet draft proposes to discover anycast
members the same way as Multicast Listener
Discovery (MLD) protocol.
Host sends Report or Leave to the adjacent router
(i.e. Group Discoverer) when joining or leaving a
group.
Group Discoverers periodically send Query to
learn status of adjacent members.
15
Anycast Group Characteristics
Semantically, each anycast group provides a service.
Normally, the frequency for members advertising to
Group Discoverers their joining or leaving a group is
low.
Members should report their status more frequently.
The processing delay for joining is not required
strictly, as other members can provide the same
service.
The processing delay for leaving should be as low as
possible.
Locations of anycast members can be rather limited
and stable, so we unnecessarily deploy one group
discoverer in each access border of the routing
system. It is both economical and secure in this way.
16
List of Topics
Review of IP Anycast
Anycast Security Model
Anycast Group Characteristics
Secure Anycast Listener Discovery (S-ALD)
17
Secure Anycast Listener Discovery
The Scenario
Anycast
member
Group
Discoverer
internet
Join
Heartbeat
Leave
Secure channel between anycast member and
Group Discoverer is built during the join phase on
IPSec by authenticating the mentioned certificates.
18
S-ALD Features
Members report actively, not driven by a query


Network burst largely reduced
Members and Group Discoverers may not be on the
same link
Group Discoverers should record status of
registered members


For secure sessions’s sake
Other information, e.g. members’s load may be useful
for anycast route choice
Considering Anycast group characteristics, S-ALD
is secure, totally low overhead and manageable
19
Our contributions
Authorization Scheme for Secure Anycast
Anycast Group Characteristics
The Resulting S-ALD protocol
20
Prospect
IP Anycast is useful for service discovery,
automatic configuration, load balance, etc.
But, concerning security, IPv6 restricts that
anycast addresses must NOT assigned to hosts,
“until more experience has been gained and
solutions agreed upon”.
With Anycast Secure Group Management,
we can break this restriction.
21
The End
22
Question?
23