accountability privacy
play

ACCOUNTABILITY & PRIVACY IN THE NETWORK David Naylor Matt - PowerPoint PPT Presentation

Carnegie Mellon University BALANCING ACCOUNTABILITY & PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste ACCOUNTABILITY operators want to know who sends each packet so they can stop malicious senders VS PRIVACY users want


  1. Carnegie Mellon University BALANCING ACCOUNTABILITY & PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste

  2. ACCOUNTABILITY operators want to know who sends each packet so they can stop malicious senders VS PRIVACY users want to hide who sends certain packets so they can do stuff without the whole world knowing

  3. ACCOUNTABILITY Accountable Internet Protocol [Andersen et al., SIGCOMM 2008] No Privacy cryptographic addresses Shutoff is Stop-Gap Fix anti-spoofing mechanism VS + shutoff protocol Requires “Smart NIC” PRIVACY Tor Instead of IP [Liu et al., HotNets 2011] No Accountability routers act as onion nodes Heavyweight

  4. ACCOUNTABILITY Accountable Internet Protocol [Andersen et al., SIGCOMM 2008] unforgeable source addresses VS PRIVACY Tor Instead of IP [Liu et al., HotNets 2011] hidden source addresses

  5. Destination Address Source Address …

  6. Destination Address Source Address … return address accountability sender identity error reporting flow ID

  7. Destination Address Source Address Source Address …

  8. Destination Address Accountability Address Return Address … Separate Accountability and Return Addresses

  9. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses

  10. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  11. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Flow How it Works Granularity Feasibility Real-World Deployment

  12. DELEGATED ACCOUNTABILITY Accountability Delegate shutoff( P ) brief ( P ) OK verify( P ) P P Sender Receiver

  13. brief (P) Sender to Delegate: “I sent this packet.”

  14. brief (P) FINGERPRINT CACHE 04AF4DE779 Batch fingerprints in B217C45091 F ( P ) Delegate CF24DBA5F0 Bloom filter B0AFD9C282 30E26E83B2 Delegate does not P learn packet contents Sender

  15. DELEGATED ACCOUNTABILITY Accountability Delegate shutoff( P ) brief ( P ) verify( P ) P P Sender Receiver

  16. verify (P) Verifier to Delegate: “Do you vouch for this packet?”

  17. verify (P) TWO CHECKS: 1. P A ➞ B in fingerprint cache A’s Delegate 2. Flow A ➞ B not shut off OK verify( P ) verify( P ) P A → B VERIFIED FLOWS A → B A

  18. verify (P) TWO CHECKS: 1. P A ➞ B in fingerprint cache A’s Delegate 2. Flow A ➞ B not shut off Most effective at first hop OK Verified flow entries periodically expire verify( P ) verify( P ) Routers keep no state during verification P A → B VERIFIED FLOWS A → B A

  19. DELEGATED ACCOUNTABILITY Accountability Delegate shutoff( P ) brief ( P ) verify( P ) P P Sender Receiver

  20. shutoff (P) Receiver to Delegate: “Stop this flow.”

  21. shutoff (P) BLOCKED A’s Delegate FLOWS A → B shutoff( P ) P A → B P A → B B VERIFIED FLOWS A → B

  22. shutoff (P) BLOCKED A’s Delegate FLOWS A → B shutoff( P ) B VERIFIED FLOWS

  23. shutoff (P) BLOCKED A’s Delegate FLOWS A → B shutoff( P ) DROP_FLOW verify( P ) P A → B B VERIFIED FLOWS

  24. shutoff (P) BLOCKED A’s Delegate FLOWS A → B shutoff( P ) Signature proves receiver sent shutoff DROP_FLOW verify( P ) Filtering happens at router, not NIC P A → B Delegate also facilitates long-term fix B VERIFIED FLOWS

  25. DELEGATED ACCOUNTABILITY Accountability Delegate shutoff( P ) brief ( P ) verify( P ) P P Sender Receiver

  26. IS THIS TECHNICALLY FEASIBLE? Accountability Delegate shutoff( P ) brief ( P ) verify( P ) P P Sender Receiver

  27. IS THIS TECHNICALLY FEASIBLE? brief ( P ) Storage Overhead < 1GB fingerprints at delegate Network Overhead 0.5% sending fingerprints

  28. IS THIS TECHNICALLY FEASIBLE? verify ( P ) Computational Overhead 78K ! at delegate verifies per sec Storage Overhead 94MB verified flow list at router CuckooFilter: [Zhou et al., CoNEXT 2013] ed25519: [Bernstein et al., 2012]

  29. FLOW GRANULARITY One flow ID for all clients GRANULARITY: DELEGATE ⬌ DESTINATION Large Anonymity Set One flow ID per connection GRANULARITY: TCP FLOW No Collateral Damage for Shutoff

  30. ASSIGNING FLOW IDS DELEGATE DELEGATE’S CLIENTS FLOW IDS SHARED VARIETY OF CLASSES UNIQUE No Collateral Damage Large Anonymity Set Flexible

  31. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Flow How it Works Granularity Feasibility Real-World Deployment

  32. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  33. HIDING RETURN ADDRESSES 1 2 END-TO-END ENCRYPTION ADDRESS TRANSLATION Destination Destination Destination Accountability Accountability Accountability Return Opaque ID Return … … … Protection From: Protection From: Source Domain Source Domain ✓ Local Observers Local Observers ✓ Transit Networks ✓ Transit Networks ✓ Receiver Receiver Stateless and secure: [Raghavan 2009]

  34. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  35. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  36. EXAMPLE DEPLOYMENTS Specialized Companies Source Domains as Delegates as Delegates FINGERPRINT EXTERNAL DESTINATION CACHE DELEGATE ACCOUNTABILITY DESTINATION DESTINATION RETURN ACCOUNTABILITY BORDER ROUTER RETURN SOURCE DOMAIN + DELEGATE No burden on source domains No briefing overhead Larger anonymity set Lower verification latency

  37. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  38. APIP: ACCOUNTABLE AND PRIVATE INTERNET PROTOCOL + + Destination Address Accountability Address Return Address Return Address … Separate Accountability Hidden Return Delegated Accountability and Return Addresses Addresses Real-World Deployment

  39. IN THE PAPER Source address roles Who can be a delegate? Anonymity set analysis Attacking APIP Trust/key management Protocol details

  40. ACCOUNTABILITY unforgeable source addresses VS PRIVACY hidden source addresses

  41. ACCOUNTABILITY every packet carries an accountability address Delegated Accountability for reporting misbehavior & PRIVACY return address can be hidden Return Address since network just needs Hidden Return Addresses accountability address

  42. Carnegie Mellon University BALANCING ACCOUNTABILITY & PRIVACY IN THE NETWORK David Naylor Matt Mukerjee Peter Steenkiste

Recommend


More recommend