Communication Security in Next Generation Networkskato/workshop2004/2004sendaiWorkshop.pdfToday’s VoIP networks use POTS service to improve their reliability and to ... reason why

Communication Securityin Next Generation Networks

January 29, 2004Takashi Egawa, Yoshiaki Kiriha, Akira Arutaki

NEC Corporation

January 29, 2004 NEC Proprietary 2

IP networks as an infrastructure

• In 2002 NTT stopped investment to renew Plain Old Telephone Service (POTS).– The shift towards pure IP network started.

We cannot rely on telephone networks any more.IP networks must become grown-ups.

• However, IP network has many problems to become an infrastructure.– Traceability and manageability that telephone networks have do

not exist in current IP networks.– This comes from IP’s design principle.

Today’s VoIP networks use POTS service to improve their reliability and to realize emergency calls.

Such things will become impossible in the future.


IP Design Philosophy: Main Goals

• Effective multiplexed utilization of existing networks– Packet switching, not circuit switching

• Continued communication despite network failures– Routers don’t store state about ongoing transfers– End-hosts provide key communication services

• Support for multiple types of communication service– Multiple transport protocols (e.g., TCP and UDP)

• Accommodation of variety of different networks– Simple, best-effort packet delivery service– Packets may be lost, corrupted, or delivered out of order

• Distributed management of network resources– Multiple institutions managing the network– Intradomain and interdomain routing protocols

Grosshauser (2002)


Characteristics of the Internet

• The Internet is– Decentralized (loose confederation of peers)– Self-configuring (no global registry of topology)– Stateless (limited information in the routers)– Connectionless (no fixed connection between hosts)

• These attributes contribute– To the success of the Internet– To the rapid growth of the Internet– …and the difficulty of controlling the Internet :<

Grosshauser (2002)


Operator Philosophy: Tension with IP

• Accountability of network resources– But, routers don't maintain state about transfer– But, measurement isn’t part of the infrastructure

• Reliability/predictability of services– But, IP doesn’t provide performance guarantees– But, equipment is not very reliable (no ‘five-9s’)

Downtime: IP networks: 471min/year, POTS: <5min/year

• Fine-grained control over the network– But, routers don’t do fine-grain resource allocation– But, network self-configures after failures

• End-to-end control over communication– But, end hosts adapt to congestion– But, traffic may traverse multiple domains

Grosshauser (2002)


In short, current IP networks are…

Traditional tools and MIBs are not enough to distinguish the reason why QoS degrade or where a security breach happens.

Traditional tools and MIBs are not enough to distinguish the reason why QoS degrade or where a security breach happens.

Problems!

Autonomous = no person knows

Failure!

pingSecurityBreach!

Distributed, autonomous network is a labyrinth.


CIA: Three basic components of security

IntegrityData must not be modifiedby unauthorized persons

or programs.

AvailabilityAuthorized user must be

able to use data as he wants.

ConfidentialityData must not be shownto unauthorized persons

or programs.

• Currently Confidentiality and Integrity is a end-user’s role (e.g., IPsec)

• Network concentrates on Availability (QoS, reliability)• This will not change soon, but in the future?


Then, what should we do for Availability?

1. Now: So what? I must make $$$.– Many ISPs don’t (or can’t) spend extra money for

technologies to improve availability.2. Near Future: OK, we must develop tools to

understand what’s going on in IP networks. – Various traffic monitoring tools have been developed.

3. Future: OK, we have to undermine and change the nature of IP. But to change IP itself is impossible, so…– Thinning IP layer: MPLS, GoE, OPES, TCP overlay,

etc.– Scale-free networks


Now: So what? I must make $$$.

• To which are security/availability services categorized?– QoS, Traffic engineering 2nd category– Virus scanning, SPAM filtering?– Confidentiality, Integrity?

• Which/how much customer categorizes a service to the 1st?

New Services,New technologies

Necessary, andmakes money:

Necessary, but donot make money

VoIP(?), Online games

Traffic engineering, QoS


Situation around QoS

• Anyway, most users and most traffics are satisfiedSystem for special users is wanted; but diffserv is for everybody

BroadbandAccess users

DiffServDiffServRouterRouter



•QoS guarantee service is too expensive and too complicated•All related equipments must be QoS enabled. They are expensive.

•Takes much time to start the service (equipment, education, know-how)•Slight QoS improvement do not bring money

• Live video, online games may require QoS guarantee• But, won’t pay large amount • Not all traffic require QoS

guarantee

Business customers

Residential users

Network operators

Businessusers


As a result, ‘abundant resources. OK!’

• Prediction-based network design; this is the key.– Predict traffic demand, and makes a plan for the investment.

• Basic tools (RMON, SNMP) is used to confirm that the prediction was correct.– Just confirmation. Simple tools is enough.

• If a trouble occurs (e.,g., a failure), its cause is solved with these basic tools.– Special tools needs $$$ and additional education. Difficult.

If this is the truth, what kind of properties a tool must have?

• Small start is indispensable.– Tools that protect special small users may be accepted.

ISP’s tactics to achieve availability is


Near future: Measurement method

• IETF started various WGs to standardize measurement methods and data formats– IPPM, IPFIX, PSAMP, …

• Consortiums – CAIDA

• Research projects– NIMI, RIPE/TTM, …

Hot topics in IETF and various consortiums

But since other speakers focus on this them today,I’ll skip this theme and…


Future: Ok, we have to change IP.

• Why is it so difficult?– IP is the key of interconnectivity.– Open standards are difficult to change.

• A sad example already exists: IPv6.– Its concept is exactly the same with IPv4, but still, it has not

come yet.• No authentication, no authorization, no new generation built-

in diagnosis. And security is impossible to attach afterwards.• The discussion started in 1991. 13 years ago!

However, frontal breakthrough is impossible.

Then, how can we change it?


Strategy: Thinning IP layer

• From lower layer– MPLS, GMPLS– Global Open Ethernet (GOE); NEC’s proposal

These are trials to take routing and traffic engineering functions from IP layer.

• From upper layer– IETF Open Pluggable Edge Service (OPES) – TCP Overlay

These are trials to take routing functions from IP layer.

We should remove functions from IP layers,And make it a mere address system.


Pros and cons of lower layer approach

• Every traffic is affected.– Precise traffic engineering/QoS control becomes possible.

• Bulk data transfer & no App. InformationThe granularity of the control is coarse.

• (meaningful portion of) L2 must be replaced with the new method (MPLS approach), or the must be interoperable with currently dominant L2 (Ethernet) (GoE approach).

(a part of the whole) route uses special L2/L1.

TCPIP

Ethernet

Terminal

IPEthernet

Router

IPMPLS

Router

IPMPLS

Router

L2/L1

Terminal

APTCPIP

APSpecial section


Pop GOE tag

(2) GOEtagged frame

(1) User’s VLANtagged frame

(1) User’s VLANtagged frame

Overview of Global Optical Ethernet (GOE) architecture

* Simple Ethernet VPN / VPLS by providing EoMPLS functions based on extended EESVLAN

* Forwarding tag:- Node address tag

(routing tag) instead of VLAN tag

- Unidirectional path as MPLS path

* Decoupling forwarding and customer info tag- Simple management

* Flexible/Extensible header

ForwardingTag (M)

ProtectionTag (O)

OAM&PTag (O)

VendorExt. (O)

(1) IEEE 802.1D VLAN-tagged frame

Variable lengthCustomerID Tag (M)

M: Mandatory tag, O: Optional tag

(2) GOE-tagged frame format

SWGOE edge GOE core GOE edge

DA SA User-VLAN PDU

DA SA NW-Stacked VLAN User-VLAN PDU

Push GOE tag

SW


GOE features

• “Node address” based forwarding• Hierarchical node address routing• Backward compatibility with legacy Ethernet

devices• Fast failure recovery• In-service network reconfiguration• Traffic engineeringAtsushi Iwata, et.al., ‘Global Open Ethernet Architecture for Cost-effectiveScalable VPN Solution’, vol. E87-B(1), pp. 142-151, IEICE trans. on Communication, January 2004.


“Node address” based forwarding(via Per-destination based STP)

• Allocate node address and configure the lowest priority for the node to become a root node of ST

• ST destined to each node is created via IEEE 802.1q encapsulated 802.1w – Per-destination Multiple Rapid spanning tree

(PD-MRST)– Reverse spanning tree is set as a forwarding

table (shortest widest path to dest)

GOE nodesCurrent Ethernet nodes

Root node #2(Dest #2)

Root node #1(Dest #1)

GOE nodes(Root node of ST)

ST#1

ST#2


Hierarchical node address routing (Massive scalable simple routing)

• Allocate hierarchical node addr.– [Lev3rd ID][Lev2nd ][Lev 1st ID]

• Spanning tree for each domain in each level– Hierarchical spanning tree

• Number of ST– X domains in 3rd level– Y domains in 2nd level– Z domains in 1st level– Total #: X+Y+Z

• Forwarding table– Only top stack of forwarding tags– Excludes dest MAC address based

forwarding– Can reduce # of forwarding entries

Hierarchy

Domain #i Domain #lDomain #e Domain #h

Domain #a Domain #d

Domain #i Domain #lDomain #e Domain #h

Domain #a Domain #d

Domain #b

Domain #a

Domain #c

Level 2

Level 3

NetworkTopology

Level 1


Backward compatibility with legacy Ethernet devices

• Use existing multiple spanning tree protocols (MSTP: IEEE 802.1q encapsulated 802.1w, 802.1s)

• Interworking between Existing VLAN and GOE– Existing VLAN: bi-directional trees– GOE forwarding tree: uni-directional trees


Fast failure recovery

N/AN [sec]Restoration time (Root node failure)

50[ms] - N [sec]N [sec]Restoration time (Node failure)

50[ms] - N [sec]50 [ms] - N [sec]Restoration time (Link failure)

Not requiredNot requiredNetwork management server

PD- MRSTP (802.1q based 802.1w/s)

MRSTP (802.1w/s)

• Additional keep alive proc. for quick node failure detection• Root node failure means the destination node failure, which

does not require any root node election– Trigger dual-homing recovery (root node protection) through

another root node (destination node)


In-service network reconfiguration

0 [sec] (may have a packet-reordering issue)

0 [sec] - N [sec]In-service reconfiguration time

PD-MRSTP (802.1q based 802.1w/s)

MRSTP (802.1w/s)

GOE nodesCurrent Ethernet nodesGOE nodes

(Root node of ST)

Root node #1- Dest ID:0001

Root node #1- Alternate ID:10001

Additional GOE nodes

Do not use active STand trigger new ST

Switch overto new tree


Pros and cons of upper layer approach

• Application information is available.– Application-aware control such as web cashing becomes possible.– Selected user/application becomes the target, so small start is

possible.• Might be able to avoid scalability issue

• However, since it is built on IP, precise control is difficult.• There are so many servers in the network these days…

Scatter various servers in the network

StandardI/F

StandardI/FAp-specific

I/F

Web caching, Contents Delivery Network (CDN), TCP performance enhancement box, firewalls, …


IETF OPES; running after the reality

• IETF made OPES WG in order to control the situation becomes out of control.– Standardize a general framework for such middleboxes.

• Security, procedures to call other OPES processors, procedure to chain OPES processors, …

– Severe resistance occurred because it breaks e2e argument. The proposal to establish OPES was rejected 3 times.

– IAB issued RFC3238 to describe the condition that OPES WG must follow.

There are so many servers in today’s Internet.NAT, NAT with Protocol Translator, SOCKS gateway, IP Tunnel Endpoints,

Packet classifiers, TCP performance enhancing proxies, Load balancers that divert/munge packets, IP Firewalls, Application Firewalls, …

E2E argument has already broken.


RFC3238: The condition to establish OPES

• The right to install OPES entity‘middlebox often modifies its contents. Who permitted that?’

It’s OK if one of the peer agrees. Virus checking: end users, CDN: server, probably.

• Health checkHow can we know the processing is done correctly?

a mechanism that the peer that installed the middlebox can detect and do health check of OPES should be installed.

if it is possible to communicate without middleboxes, middleboxes must not interfere ‘raw’ communication.

• Addressing (URI)OPES must not resolve URI.

(if there is a entity that only OPES can resolve the URI, what is ‘URI’? This is a profound question, so IAB prohibits temporary solutions)

• Privacy: end user must be able to set privacy policy.

IAB ordered OPES WG to satisfy these conditions


OPES activities

• A protocol to execute service on remote OPES processors with authentication

• A protocol to detect the existence of OPES processors• An architecture that enables these requirements (esp. for

HTTP)• Policy distribution protocol for service execution

It standardizes various aspects of distributed service that uses ‘OPES processor’.

OPES serviceapplication

data dispatcher

OPES processor

HTTP/TCP/

IP

OCP/TCP/IP(?)

dataprovider

dataconsumer

OPES serviceapplication A

Callout server A

OCP/TCP/IP(?)

OPES serviceapplication X

Callout server X

OCP/TCP/IP(?)

…

…


TCP overlayThe idea: if we split a TCP connection into multipe

connections, we can • increase the throughput,• monitor and log the usage (like Packeteer’s packet

shaper), and• control the throughput of each TCP connections

0

20

40

60

80

1 00

1 20

5 10 20 30 40 80 160 320 640

Tokyo-Osaka

RTT (msec)

Thr

ough

put m

ax(M

bps)


Rate control with TCP overlay box

Overlay node Overlay nodeConnections /w overlay

Bottlenecklink

Cross trafficgenerator

Cross trafficgenerator router router

Goo

dput

(Mbp

s)

Simulation time (sec)

Total bandwidth

Total goodput (incl. Cross traffic)Overlay’ed connection’s goodput

Targetgoodput

• The throughput of each TCP connections can be controlled by regulating the congestion window size of each TCP independent of the ‘true’network congestion


Confidentiality and Integrity: end-user’s job?

• Already many many servers in networks– Firewall, mail, web caches, transactions for EC, …

• Information processing will increase more because– End-users cannot manage themselves.

Virus checking, SPAM filtering networkAnd the link between end-users and edge routers are becoming enough fast to share the burden of data processing.

They are end-user’s job in the past, becauseInformation processing did not exist in networks. But

So we have to implement them in the future.By integrating terminals, network will become a

enormously complicated system. Can we manage them?

(firewall terminal :<)


Shift of network design paradigm

Preparatory

Random, equal access

Telephone network

Socialism or dictatorship

LAN, computer networksof early daysDemocracy


RAMDOM Network ;artificial network

Traditional communication networks,Power grid, railways, highways

(every node are equal; legacy infrastructure）


Internet, Web, Personal relationships, Airline hub, reactions among protains

Scale-free networks (growing network common in natural world)


We are looking the rise of scale-free network

Random, equal access

SelfSelf--organizing andorganizing andautonomousautonomous

• In the past, this shift was achieved by excellent SIers or administrators. But it is becoming impossible because the system is too complicated.– To make a list of new products are too tough business– To distinguish the cause of troubles are too touch business

Documents

Communication Security in Next Generation Networkskato/workshop2004/2004sendaiWorkshop.pdfToday’s VoIP networks use POTS service to improve their reliability and to ... reason why