Accountability Internet Protocol (AIP)

Download Report

Transcript Accountability Internet Protocol (AIP) 

Accountability Internet
Protocol (AIP)
David G. Andersen (CMU)
Hari Balakrishnan (MIT)
Nick Feamster (Georgia Tech)
Teemu Koponen (ICSI & HIIT)
Daekyeong Moon, Scoot Shenker (UCB)
In Proc. SIGCOMM, 2008
Speaker:Yun Liaw
Outline
 Introduction
 AIP Design
 Uses of Accountability
 Routing Scalability with AIP
 Key management
 Traffic Engineering and AD Size
 Related Work, Conclusion and Comments
1
Speaker : Yun Liaw
2/13/09
Introduction
 Accountability:
The fundamental ability to associate an action with the
responsible entity
 The problematic requirements of past approaches:
1. Complicated mechanisms
2. External sources of trust (e.g., CA in S-BGP)
3. Operator vigilance (e.g., Ingress Filtering)
 AIP: A next generation network architecture that
provides accountability as first-order property
2
Speaker : Yun Liaw
2/13/09
AIP Design
3
Speaker : Yun Liaw
2/13/09
AIP Design
 A simple generalization of Internet’s original two-level
hierarchical addressing structure – AD:EID
 Accountability Domains (AD):
 Independently administered networks, each with a unique
identifier
 Multiple levels in hierarchy of AD is supported
 End-Point Identifier (EID): Host-assigned globally
unique identifier
 Interface bits (if): The last 8 bits of EID, in order to handle the
hosts that attaches multiple times to the same AD
 General form of AIP – AD1:AD2:...:ADk:EID
4
Speaker : Yun Liaw
2/13/09
AIP Design
 Self Certifying: The name of an object is the public key
that corresponds to that object
⇒
Accountability needs verifiable identity
⇒
We use cryptographic signatures for verification
⇒
The identifier should be bound to their public key
⇒
Security should not rely on manual configuration or
trusted authorities
 AD: The hash of the public key of the domain
 EID: The hash of the public key of that corresponding
host
5
Speaker : Yun Liaw
2/13/09
6
Speaker : Yun Liaw
2/13/09
Forwarding and Routing
Before reach Dest AD
Forward by Dest AD (next hop) only
After reach Dest AD (next hop) border router
Examine next field of Dest AD stack and replace Dest AD (next hop)
After reach the last Dest AD
Forward by Dest EID only
7
Speaker : Yun Liaw
2/13/09
Uses of Accountability
8
Speaker : Yun Liaw
2/13/09
Source Accountability: Detecting &
Preventing Source Spoofing
• uRPF (Unicast Reverse Path Forwarding): An automatic filtering
mechanism that accepts packets only if the route to the packet’s
source points to the same interface on which the packet arrived
9
Speaker : Yun Liaw
2/13/09
Source Accountability:
EID verification
10
Speaker : Yun Liaw
2/13/09
Source Accountability:
AD verification - Scalability
 Accept cache management: If the number of entries
for single AD exceeds the threshold, upgrade to an
single-AD wildcard AD:*
 Division of filtering responsibility:
 Border routers: Verify the source of customer whose
return path does not go directly to the customer
 Interior routers: Need not perform further actions
 Peering routers: Large peers, will likely to trust the
peer’s verification based on a bilateral contractual
agreement
11
Speaker : Yun Liaw
2/13/09
Source Accountability:
AD verification
 “Protect those who
protect themselves”
 Limiting Address
Minting
 EID limiting: Place
EIDs/second limit on
each port
 AD limiting: Limit the
number of ADs that a
customer could
announce
12
Speaker : Yun Liaw
2/13/09
Source Accountability:
Shut-off Protocol
 Smart-NIC (Smart Network Interface Card)
1. Check the hash
2. If hash matches, suppressing the traffic for the
duration of TTL
13
Speaker : Yun Liaw
2/13/09
Source Accountability:
Securing BGP
 AIP simplifies the task of deploying mechanisms, since IP
lacks a firm binding between public keys, ASes, and prefixes
 Operators configure a BGP peering session, and the session is
automatically aware of the public keys by identifying the peer
AD
 BGP routers sign the routing announcements, and routers
that receiving a update should verify before applying it
 Each router must be able to find the public key that
corresponds to that AD
14
Speaker : Yun Liaw
2/13/09
Routing Scalability with AIP
15
Speaker : Yun Liaw
2/13/09
Routing Growth Estimation
 Diameter of the Internet / AS path length: shrinking
 Routing table size:
 BGP update volume:
 By 2020, when a BGP session resets, the routers will have to
exchange ≥ 1.6 millions prefixes with each peer, ideally in a
few seconds
16
Speaker : Yun Liaw
2/13/09
Routing Table Size
17
Speaker : Yun Liaw
2/13/09
Effects of Moving to AIP
 FIB (Forwarding Information Base) lookups
become flat
 The prefix size (32 bits) and ASes (16 bits) will
increase to 160 bits (hash of public key)
 Router will need to store a copy of each AD’s
public key
 CPU costs for cryptographic operations (similar
to S-BGP)
 The Internet diameter may keep unchanged
18
Speaker : Yun Liaw
2/13/09
Resource Requirements
 Semiconductor Growth Trends: Moore’s Law
 RIB & FIB storage (RAM):
19
Speaker : Yun Liaw
2/13/09
Resource Requirements
 Update processing (CPU): Routing table would grow by a
factor of between 5 and 9 by 2020, and the Moore’s Law
expects that CPU is grow by a factor of 16
 Cryptographic overhead:
 By 2020, a commodity CPU should be able to verify 480K and
create 13K signatures per second
 Verifying one signature for each route announcement from each
 20 peers
 66seconds
of 20 peers would requires 1.6Mroutes
480000sigs /sec
 In summary, technology trends suggest that routing
scalability with respectto memory, CPU and so on are all
manageable
20
Speaker : Yun Liaw
2/13/09
Key Management
21
Speaker : Yun Liaw
2/13/09
Key Discovery
 The key is obtained automatically once the
address is known
 Address can be obtained by any kind of
lookup service: manually, S-DNS, etc.
 Assume that peering ADs can identify each
other out-of-band
22
Speaker : Yun Liaw
2/13/09
Key Registries
 Maintain a public registry for each AD and the ADs to which
each EID is bound
 Assumption:
 The existence of global registries where principals can register
cryptographically signed assertions
 The existence of per-domain registries that can be housed by
the ISP itself
 Advantages:
 No need for any central authority. The registry verifies the
signature before storing data
 The registry can be populated by the entities involved, with no
need for human intervention or involvement
23
Speaker : Yun Liaw
2/13/09
Key Registries
 Class of Assertions in the registries:
 Keys: {X,KX }
 Revoked keys: {K X ,is _ revoked}K
1
X
 Peerings: {A,K A ,B,K B }K {A,K A ,B,K B }K

ADs of EID X: {A, X}
1
A

1
B
K A1 K B1
 First hop router of X:


{Router, X, MACX }K 1 K 1
 Router X

24
Speaker : Yun Liaw
2/13/09
Key Registries
 Maintaining the domains registry – by AD
 Forcing domain to sign A:X entries before the DNS
server and resolvers will accept them as the result of a
DNS resolution
 Using the registries:
 For hosts: Check the global registry for which domain
are hosting it, and check the domain-specific registry
for first-hop routers are hosting it
 For domains: Checks the global registry to see which
domains claim to be peering with it
25
Speaker : Yun Liaw
2/13/09
Traffic Engineering and AD Size
26
Speaker : Yun Liaw
2/13/09
Traffic Engineering
 Goal: To map an offered load on to a set of available paths
 ADs cannot be split into sub-prefixes for finer control
over routing
 AD Granularity
 AD: A group of nodes that meets these two criteria–
 They are administered together
 They would fail together under common network failures
 AD granularity corresponds roughly to the way in which
connectivity to the network changes
27
Speaker : Yun Liaw
2/13/09
Traffic Engineering
 Splitting ADs for TE
 ISPs could creating an AD from each prefix in the widearea BGP routing tables
 One can use interface bits in order to sub-divide an AD
 DNS-based load balancing
 Server-centric view: How to load balance traffic destined
for a particular service across machines in a cluster or
across data centers
 AIP’s interface bits might simplify the load-balancing by
representing a service as a single “host” multiple times
28
Speaker : Yun Liaw
2/13/09
Related Work, Conclusion and
Comments
29
Speaker : Yun Liaw
2/13/09
Related Work & Conclusion
 Related Work
 Self-certifying names (CGA, HIP)
 Separating identifiers and locators (GSE/8+8)
 Scalability
 Source accountability (packet filtering, Passport)
 Control-plane accountability (S-BGP, soBGP)
 Conclusion
 Using a simple hierarchical addressing scheme with self-
certifying components to enable accountability, to solve source
spoofing, DoS traffic, and S-BGP
30
Speaker : Yun Liaw
2/13/09
Comments
 Some assumptions seems not feasible today (e.g., global key
registry)
 Who should hold the accountability?
 The Next-Generation network architecture would always
face the problem that how to make people adopt it
 Do we really need accountability as the first-order property
in Internet?
31
Speaker : Yun Liaw
2/13/09