July 2008 IETF 72 - NSIS 1

Permission-Based Sending (PBS) NSLP: Network Traffic Authorization

draft-hong-nsis-pbs-nslp-01

Se Gi Hong & Henning SchulzrinneColumbia University

July 2008 IETF 72 - NSIS 2

Overview of PBS

• Objective – Preventing Denial-of-Service (DoS) attacks and other forms of

unauthorized traffic.

• Network traffic authorization– A sender has to receive permission from the intended receiver before it

injects any packets into the network.– Permission represents the authority to send data.

• Deny-by-default– In the closed network (all end users have PBS NSLP functionalities)

• The unauthorized traffic without permission is dropped at the first router by default.

– In the open Internet (some end users do not have PBS NSLP functionalities)

• The traffic from the end users who do not have PBS NSLP functionalities are rate-limited by default.

July 2008 IETF 72 - NSIS 3

Design Overview• Distributed system

– The permission is granted by the intended receiver of a data flow.– Signaling installs and revokes the permission state of routers for data flows.

• Stateful system– A subset of routers keeps state for a data flow and monitors whether the flow is

authorized.• Deployable system

– PBS can be applied to current networks. • The PBS does not change IP and TCP/UDP packet header.

– Existing security protocol is used.• IPsec

• Scalable system– Not all routers need to be aware of PBS.– Reduce computational overhead.

• Only the data packets from senders who are affected by the attacks use IPsec.

July 2008 IETF 72 - NSIS 4

Design Overview

• DoS defense mechanism– DoS detection mechanism

• PBS Detection Algorithm (PDA) can detect DoS attacks.

• PDA uses signaling messages to monitor the attacks.

– Reaction mechanism against DoS attacks• Limited permission

– Limited permission prevents overflow of data packets.

• IPsec Authentication Header (AH)

– For the authentication and integrity of data packets.

• Changing data path

– To avoid a compromised router that drops legitimate packets.

July 2008 IETF 72 - NSIS 5

Three Components of the PBS NSLP Architecture

• Path-coupled (on-path) signaling component– Installs and maintains permission state.– Monitors attacks, and triggers reaction mechanism against the attacks.– Authentication of signaling message is protected by IPsec AH.

• Authorization component– Decides whether to grant permission (amount of data volume) for a flow– Detects and identifies the attack by PDA.– Decides the reaction mechanism against the attacks.

• e.g., IPsec AH for data packet, changing data flow path

• Traffic management component– Screens the data packets to see whether the data packets are

authorized.– Drops the unauthorized packets using IP packet filter.– Calculates the volume of the data to monitor data flow.– Verifies the authentication of packets.

July 2008 IETF 72 - NSIS 6

PBS NSLP Signaling Message

• Two-way handshake– Query message

• Sent by a sender to request permission• Requested application is described• Rate-limited by proof-of-work

– Permission message• Sent by a receiver• Sets up (grants), removes (revokes) and modifies permission state• Triggers reaction mechanism against the attacks

• Soft-state – The permission state is refreshed periodically by a soft-state

mechanism

July 2008 IETF 72 - NSIS 7

PBS Detection Algorithm (PDA)

• Monitoring DoS attack– Use existing PBS NSLP messages (Query/Permission messages)

– Use soft-state mechanism to periodically monitor the data flow

• Basic operation of PDA– Query message sent by a sender contains the number of bytes that the

sender has sent since the permission was granted

– The receiver compares the number of bytes in the Query message and the number of bytes that the receiver has actually received

– If there is a difference, the signaling message (Permission message) triggers the reaction mechanism

July 2008 IETF 72 - NSIS 8

Back-up slides

July 2008 IETF 72 - NSIS 9

PBS NSLP Architecture

PBS NSLPProcessing

Authorization

NTLP (GIST)Processing

Traffic Management

Control and configuration

Data flow

Signal flow

On-path signaling

July 2008 IETF 72 - NSIS 10

Query Message• Message type flag (M)

– Set to M=0 to indicate the message is the Query message• Flow identifier

– Descriptor of data flow– Source IP address, destination IP address, protocol identifier, higher (port)

addressing, flow label, SPI field, DSCT/TOS field.• Requested volume (RV)

– The number of bytes that a sender requests.• Volume information (V)

– The number of bytes that a sender has sent since the sender received the permission from the intended receiver.

– It is used to monitor the DoS attacks.• Public key (Ks)

– The sender’s public key for the authentication of signaling packets.– An X.509 certificate is used for the digital signature.

• Cryptography algorithm (C)– Cryptography algorithm to be used for the authentication field in IPsec AH.– C=00: RSA, C=01: DSA, C=10: ECDSA

July 2008 IETF 72 - NSIS 11

Permission Message• Message type flag (M)

– Set to M=1 to indicate the message is the Permission message• Flow identifier• Allowed volume (AV)

– The number of bytes that a receiver grants a sender for the request.• Time limit (TTL)

– Time limit for the permission of the data flow.• Refresh period (T)

– Used for the soft-state of the permission.• Solution flags (S)

– S=00: No reaction, S=01: IPsec AH with HMAC, S=10: IPsec AH with public key cryptography for the data flow. S=11: The sender needs to change data path.

• Public key (Kr)– The receiver’s public key for the authentication of signaling packets.– An X.509 certificate is used for the digital signature.

• Cryptography algorithm (C)– Cryptography algorithm to be used for the authentication field in IPsec AH.

July 2008 IETF 72 - NSIS 12

Basic Operation of PBS NSLP

Q (M, FID, RV, V, Ks, C)

Sender R1 R2 Receiver

T

11

22

33

44

55

P (M, FID, AV, TTL, T, S, Kr, C)

Data flow

Data flow

Signal flow

Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C)

P (M, FID, AV, TTL, T, S, Kr, C)P (M, FID, AV, TTL, T, S, Kr, C)

Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C) Q (M, FID, RV, V, Ks, C)

P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C) P (M, FID, AV, TTL, T, S, Kr, C)

July 2008 IETF 72 - NSIS 13

Basic Operation of PDAData flow

Sender R1 R2 R3 Receiver

A (Attacker spoofing S’s address)

T

11

22

33

44

5566

Data flow (1MB)

Attack flow (2MB)Signal flow

Query

Permission (AV=10MB)

Query (V=1MB)

Permission (S=10)

Query Query Query

Query (V=1MB) Query (V=1MB) Query (V=1MB)

Permission (S=10) Permission (S=10) Permission (S=10)

Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB)

Detect attack(1MB Vs 3MB)

July 2008 IETF 72 - NSIS 14

Detection of Black Hole Attack

T.O.

T.O.

R1 R2 R3 ReceiverSender

22

11

Data flow

Signal flow(Attacker, Drop attack)

Query Query

Query Query

Change data flow path

July 2008 IETF 72 - NSIS 15

Detection of Dropping Only Data Packets

Data flow

ReceiverR3R1SenderData flow (1MB)

11

22

33

44

55

R2

Signal flow(Attacker, Drop attack)

T

Query (V=1MB)

Permission (S=11)

Query Query Query Query

Query (V=1MB) Query (V=1MB) Query (V=1MB)

Permission (S=11) Permission (S=11) Permission (S=11)

Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB) Permission (AV=10MB)

Data flow (1MB)

Detect attack(1MB Vs 0MB)