View
213
Download
0
Category
Preview:
Citation preview
IPclip: An Architecture to Restore Trust-by-Wire in Restore Trust by Wire in Packet-switched Networks
Thomas Bahls, Daniel DuchowHarald Widiger, Stephan Kubisch,Peter Danielis, Jens Schulz,
Dirk Timmermann
Nokia Siemens NetworksBroadband Access Division
University of RostockInstitute of Applied Microelectronics
and Computer Engineering
Outline
Trust-by-WireTrust by WireIPclip – The MechanismHardware RealizationPrototypeypConclusion
19.10.2008 University of Rostock 2
Challengesg
VoIP (Emergency Calls)
SPAM
Phishingg
P2P supportP2P support
19.10.2008 University of Rostock 3
3
Trust-by-Wirey
Fixed line telephony vs InternetFixed line telephony vs. InternetFixed line telephony
Circuit switchedTelephone number for identification
Trust-by-Wire
Direct relation between location and line
InternetInternetPacket switchedIP addresses not disitinct for identification
Trust-by-WireIP addresses not disitinct for identificationNo (trustable) location information
y
19.10.2008 University of Rostock 4
Outline
Trust-by-WireTrust by WireIPclip – The MechanismHardware RealizationPrototypeypConclusion
19.10.2008 University of Rostock 5
IPclip - Mechanismp
IPclip is used to provide a useful degree of TbW in IP networks
IPclip = IP Calling Line Identification PresentationLocation information (e g GPS) is added to each IP
p p g
Location information (e.g., GPS) is added to each IP packet as IP option Location information in IP
Either by the user or by the access node of an access y ynetwork
GPS
A N d ith Internet
Verified Location Information
UserUnverified Location Information
GPS
Access Node with IPclip @ Pos (x,y)
Internet
Verified Location Information
GPS
Unverified Location Information
No Location Information
19.10.2008 University of Rostock 6
IPclip - Optionp p
What kind of location information do we use?
IP header can contain IP optionsIP Header
IP Options...
IP Header
IP options show a type-length-value structure
UDP, TCP, ...
p yp gLocation information as value part of an IP option
IP Type IP Length LatitudeIPclip Type Status FieldLatitude (cont.) Longitude
Port Access Node ID
yp g p ypAccessPadding
19.10.2008 University of Rostock 7
IPclip - Positionp
Access Network most reasonable place for adding/verifying LI
Access node is the 1st trustworthy network element
p g/ y g
User provided location information solely verified hereAccess port + access node ID as complementary informationinformation
Access NetworkBroadband
Metro/Core Network
User
Linecards
AccessServer
ISP
UserAccess Node (ID = 0xab)
...Access Ports
Aggregation
ISP
IPclip
19.10.2008 University of Rostock 8
IPclip
IPclip – Trustable LIp
Using IPclip for ensuring trustworthy LI in IP
User provided LI trustworthy if within access node‘s
(0;1) (1;1)
if within access node s subscriber catchment area (SCA)
Alice sends Position (0.2;0.7)
Alice’s Flags = user provided, trusted
IPclip on access node sets flags in status field depending on LI‘s trustworthiness
Eve’s Flags = network provided, untrusted
Access Node @ Position (0.5;0.5)
Alice @ Position (0.2;0.7)
on LI s trustworthiness
(0;0) (1;0)
Eve sends Position (1.2;1.4)
Eve @ Position(0.3;0.2)
Status Field
Access Node's SCA (normalized coords)
( ) ( )
Removal Flag
Peering Flag
Source Flag
Trustabi-lity Flag
19.10.2008 University of Rostock 9
Outline
Trust-by-WireTrust by WireIPclip – The MechanismHardware RealizationPrototypeypConclusion
19.10.2008 University of Rostock 10
IPclip Architecturep
IPoE MTU Adaptation Option Verification Module – MAMPPPoE MTU Adaptation Module – PAM
Module – OVMAdditional Information Adder – AIAModule PAM
Packet Classifier – PC Adder AIAAdditional Information Remover – AIR
LocationMemoryOption LocationInformation
Memory Interface
Option SizeMTU
AIAOVMPC Core
Upstream
PAM
AIR
Port NumberCore
Network
Downstream
MAMCPE
19.10.2008 University of Rostock 11
MAM & PAM
PPPoE MTU Adaptation IPoE MTU Adaptation
MTU Negotiation in PPP session phase
p
Path MTU Discovery session phaseUpstreamMTU=MTU-Option Size
for dynamic MTU adaptationMTU to big after option MTU MTU Option_Size
DownstreamMTU=MTU+Option_Size
MTU to big after option insertion ICMP message to origing gAdaption of ICMP messages from d tdonwstream
19.10.2008 University of Rostock 12
Packet Classifier
Assignment of physical user port to Assignment of physical user port to each incoming packetKey: SRC IP and VLAN TagKey: SRC-IP and VLAN-TagResult: User Port (16 Bit)Search in a sorted memory O(log(N))O(log(N))
1.5 clock cycles per mem accessInsertion and Deletion O(N+log(N))Insertion and Deletion O(N+log(N))
19.10.2008 University of Rostock 13
OVM
Check if frame’s origin is within an rectangle of g gwhich linecard is the center (SCA)Both GPS LI and GLI can be used
Width of SCA
Length of SCA
LI Option sizeSCA SCA
Valid IP Opt
Discard
YES
GPS GLI
LI
CALC
Frame OUTFrame InReadState
Machine
IPclipoption
SendState
Machine
NO
19.10.2008 University of Rostock 14
OVM
Conversion factor between linear and Conversion factor between linear and angular measurement constant for longitudelongitudeConversion factor for latitude d d l it ddepends on longitude
1’’ in polar regions = 0.54 m1’’ in equatorial regions = 31.0 m
Width and length calculated in [ams]Width and length calculated in [ams]
19.10.2008 University of Rostock 15
AIA
Add IPclip option to each packetp p pAdd only AN ID and port to existing IPclip options
AddLI OptionSize
DiscardUnconfigured
Frame in Frame outI
Discard+
Discard
Port Exists
Is IP? No
DiscardYes
Port Exists
Port Number
Valid IP Opt
Add/Remove
LI
19.10.2008 University of Rostock 16
p
AIR
Optional submodule in downstream to Optional submodule in downstream to strip IPclip options from packetsAss ance that co ect IHL Total Assurance that correct IHL, Total Length and Checksum fields are
t drecomputedMay be required for security reasonsy q y
19.10.2008 University of Rostock 17
Outline
Trust-by-WireTrust by WireIPclip – The MechanismHardware RealizationPrototypeypConclusion
19.10.2008 University of Rostock 18
Prototypeyp
Xilinx Virtex ML405 FPGA development Xilinx Virtex ML405 FPGA development board – Virtex-4 FX20FPGA fairly utilized (7486 Slices, 55 BRAMs)FPGA fairly utilized (7486 Slices, 55 BRAMs)
19.10.2008 University of Rostock 19
Resource Consumptionp
Module Slices BRAMs
MAM 786 1
PAM 163 0
PC 832 11
AIA 1019 4AIA 1019 4
OVM 2491 2
AIR 519 6
EMAC; Glue;Prototype related
1700 31
IP li P t t 7486 55IPclip Prototype 7486 55
19.10.2008 University of Rostock 20
Performance
IPclip Troughput (1 Gbps)
100120
%]
IPclip Troughput (1 Gbps)
6080
100
hput
[%
2040
hrou
gh
064 128 256 512 1024 1280 1518
Th
FramesizeFramesize
Packets without LI Packets with LI
19.10.2008 University of Rostock 21
Performance
Realistic Data35% 64 Byte
Delay with LI690 to 1200 cycles35% 64 Byte
10% 594 Byte11% 1518 Byte44% Random
690 to 1200 cyclesDelay without LI
700 to 1900 cycles
7
Loss rate with realistic traffic
4567
rate
[%]
0123
Loss
r
00 25 50 75 100
Fraction of traffic containing LI from CPE [%]
19.10.2008 University of Rostock 22
Conclusion
IPclip establishes TbW in IP-based IPclip establishes TbW in IP based networksImplemented on an AN IPclip can insert Implemented on an AN, IPclip can insert or validate location informationHW prototype is capable to serve 1 GbpsHW prototype is capable to serve 1 GbpsIPclip enables interesting new
l d lapplications and solutionsVoIP emergency callsFighting SPAM and PhishingImprove P2P traffic
19.10.2008 University of Rostock 23
Recommended