Transcript slides

Architectural issues for
network-layer identifiers
Stefan Savage
Dept of Computer Science & Engineering
UC San Diego
Historical context
I
n the beginning... it was amazing the net worked
at all.
Everyone was a good actor.
Existing Internet design

Focused on universal connectivity

IP address Identifiers purely for the purpose of
connectivity



Actively trying to introduce homogeneous substrate




Dst address for routing, Src to identify destination for replies
Strictly voluntary
Unbound usage model
Security not a significant consideration in the network
layer; trust everyone equally
Cryptography expensive relative to transport
Cryptographic abstractions limited

True when IPSec designed also
What has changed?

Many users/providers don’t want homogeneity



Most src addresses today are NATed
We want to limit who can talk to whom
Huge growth in criminal activity


10s of millions of compromised machines
Sophisticated abuse of network layer
Problems



Network architecture provides “how”
Security questions are mainly about “who” and
“what”
Ad hoc, brittle mappings between two




Firewalls (address, port)
Ingress/egress filtering
DDoS filtering (ttl hack, blackholing, etc)
Key issue


Can’t count on src address being correct or global
Even if it is correct only represents existence of endpoint
Worth rethinking…


How might we design packet identifiers to
provide useful attribution?
Attribution – working definition:
The act of linking identity with action

Uses

Authentication: who wants to do that?


Situational awareness: who is doing that now?


Access control
Operational response (e.g. filtering DDoS, BotNet C&C)
Forensics: who did that in the past?

Investigatory, evidentiary
Design options

Meaning of identifier

Network attribute



Physical attribute





Location: place packet sent from (used today in payment sys)
Originator: machine packet sent from
User attribute


IP address: topological endpoint
Path: topological route (StackPI)
Capability: right to access something
Principal: evidence of individual
Scope of identifier (local, global, in-between)
Who can interpret (anyone, trusted party, hybrid)
New opportunity


Crypto has advanced significantly
Many operations are comparatively cheap now



10’s of microseconds
Line-rate hardware implementations feasible
Completely new kinds of cryptography



Groups, aggregates, append-only, IBE, Attributebased crypto, homomorphic crypto, broadcast
systems, etc
Its not just encrypt, hash and sign anymore…
New tools provide new design opportunities
Remaining agenda

Revisiting the Cryptographic toolbox (Boneh)

Local identifiers for access control (Casado)

Global identifiers for forensics (Savage)

Attribution

To whom