Authorizing Network Control at Software Defined Exchange Points Arpit Gupta Princeton University http://sdx.cs.princeton.edu Nick Feamster, Laurent Vanbever
Internet Exchange Points (IXPs) Route Server BGP Session IXP Switching Fabric AS A Router AS B Router AS C Router 2
Software Defined IXPs (SDXs) SDX Controller SDX BGP Session SDN Switch AS A Router AS B Router AS C Router 3
SDX Opens Up New Possibilities • More flexible business relationships – Make peering decisions based on time of day, volume of traffic & nature of application • More direct & flexible traffic control – Define fine-grained traffic engineering policies • Better security – Block or redirect attack traffic at finer level of granularity 4
SDX for DDoS Attack Mitigation Attacker SDX 1 SDX 2 AS 88 Attack traffic traverses two different SDXs 5
Remotely Block Attack Traffic Attacker SDX 1 SDX 2 SDN Policies AS 88 Victim remotely pushes block rules to SDX 6
Subscribe to Third Party Services Attacker Verisign SDX 1 SDX 2 SDN Policies DOTS AS 88 Victim Subscribes to Verisign for DDoS Protection 7
SDX vs. Traditional DDoS Defense • Remote influence Physical connectivity to SDX not required • More specific Drop rules based on multiple header fields, source address, destination address, port number … • Coordinated Drop rules can be coordinated across multiple IXPs 8
Spider-Man Dilemma With Great Power Comes Great Responsibility • Authorize Remote Requests – Is AS 88 owner of flow space under attack? • Authorize Third Party Requests – Is Verisign authorized by AS 88 to block or redirect attack traffic? – Is AS 88 owner of flow space under attack? 9
Authorization Logic • Conventional Authorization Logic – Applied over discrete resources – Limited allowable actions (read/write etc.) • Authorization Logic for Network Control – Resources à Set of packets within some flow space – Actions à Transformations on the packet’s metadata 10
FLANC Authorization Logic • Resource Ownership – Principals that own the resource under consideration • Allowed Actions – Set of allowed transformations for resource owners, T:{sIP, sPort, dIP, dPort, phyPort} à {sIP, sPort, dIP, dPort, phyPort} – e.g. Drop Telnet traffic from 10.0.0.1 and 20.0.0.1 T :{{10.0.0.1,20.0.0.1}, *,*, {23},*} à {*,*,*,*,{}} • Delegations – Mechanisms by which one principal gives other permission to operate on their resources 11
FLANC Authorization Logic at SDX SDX Controller … Participant 1 Participant 2 Participant N Request Handler Reference Monitor Event Credential Credentials Network Events Handler Handler Southbound APIs Switching Fabric
AS 88 sends Delegation Credentials Attacker Verisign SDX 1 SDX 2 AS 88 AS 88 says, Verisign speaks for AS 88 for T, where T:{*,*,{128.112.0.0/16},{80,443},*} à {*,*,*,*,*} 13
AS 88’s HTTP Server under Attack Attacker Verisign SDX 1 SDX 2 AS 88 (HTTP, 128.112.136.35) 14
AS 88 sends DOTS Message Attacker Verisign SDX 1 SDX 2 {128.112.136.35,80,TCP} AS 88 15
Verisign sends SDN Policies Attacker Verisign dIP=128.112.136.80, dPort=80 à fwd(V) SDX 1 SDX 2 AS 88 16
Checking Authorization at SDX • Request Handler – Associate request with the principal (Verisign) – Extract request transformation • T req :{*, *, 128.112.136.80, 80, *} à {*,*,*,*,V} • Credential Handler – CA says, “ AS 88 owns {*, *, 128.112.0.0/16, *, * } ” – Delegation credentials from AS 88 • Reference Monitor – Generate a proof, “ Verisign can say T req ” 17
Evaluation Results Remote Requests Third Party Requests Cumulative Distribution of Time 1 . 0 0 . 8 0 . 6 0 . 4 0 . 2 0 . 0 0 20 40 60 80 100 120 140 Time (us) Dataset: AS 88 IPS logs for 1 week, 550K alert events 18
Evaluation Results Remote Requests Third Party Requests Cumulative Distribution of Time 1 . 0 0 . 8 0 . 6 0 . 4 0 . 2 0 . 0 0 20 40 60 80 100 120 140 Time (us) FLANC incurs minimal performance overhead 19
Takeaways • Authorizing Network Control at SDX is critical • FLANC is the first step – Associates requests with principal – Considers flow space abstraction – Considers conditional delegations • FLANC’s scope is broader than SDX – Campus Network – Mitigating Route Hijacks 20
Recommend
More recommend
