building ext building extensible ne building ext building
play

Building Ext Building Extensible Ne Building Ext Building - PowerPoint PPT Presentation

Building Ext Building Extensible Ne Building Ext Building Extensible Ne nsible Netw nsible Netw twor twor orks with orks with ks with ks with Rule-Based F le-Based Forwar arding ding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion


  1. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t RCE RCE DNS R_D R D Sources obtain rules S D Senders Routers Destinations

  2. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t RCE RCE DNS Insert them in packets I t th i k t S D R_D Payload Senders Routers Destinations

  3. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t RCE RCE DNS Routers • Verify rule signature y g • Follow rule directives S D R_D Payload Senders Routers Destinations

  4. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t RCE RCE DNS Packets may contain a return rule R_S R_D Payload S D R_D R_S Payload Senders Routers Destinations

  5. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t Control Plane RCE RCE DNS Distribution Certification Data Plane Senders Routers Destinations

  6. R l B Rule-Based Forwarding (RBF) Architecture d F di (RBF) A hit t Control Plane RCE RCE DNS Distribution Certification Data Plane Senders Routers Destinations

  7. RBF Assumptions RBF Assumptions � Anti-spoofing mechanism � Ingress filtering � Existence of Rule Certifying Entities and distribution of RCE f l f d d b f keys to routers � RCEs few largeVerisign-like entities or AS based RCEs few largeVerisign like entities or AS based � Rule distribution (DNS) well provisioned against DDoS u e st but o ( S) we p ov s o e aga st oS attacks

  8. Outline Outline � Motivation & Solution Overview � Rule-Based Forwarding Architecture – Overview � Rule Forwarding Mechanism & Examples � Evaluation

  9. RBF Mechanism RBF Mechanism – Specification Specification � Rule: sequence of actions conditioned by if-then-else q y statements if(<CONDITION>) ACTION1 else ACTION2 l C O 2 � Conditions: comparison operations on packet header & router state (attributes)

  10. RBF Mechanism RBF Mechanism – Actions Actions Rule actions are: Rule actions are: Modify packet header (attributes) 1. Drop packet 2. Forward packet (destination / next waypoint) F d k t (d ti ti / t i t) 3. 3 Invoke upper layer functionality (if available) 4.

  11. Rule Forwarding Mechanism Rule Forwarding Mechanism C Current IP routers IP IP FIB Forwarding

  12. Rule Forwarding Mechanism Rule Forwarding Mechanism RBF routers New Rule Router RBF Forwarding Attributes forwarding layer IP IP FIB Forwarding

  13. Rule Forwarding Mechanism Rule Forwarding Mechanism cast Specialized ng Cachin RBF routers Multic S IDS forwarding … functions (optional) New Rule Router RBF Forwarding Attributes forwarding layer IP IP FIB Forwarding

  14. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Controlled by ISPs Controlled by ISPs Cachin Multic IDS S … and middlebox owners Rule Router Forwarding Attributes IP FIB Forwarding

  15. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS … Examples: Rule Router • router’s address Forwarding Attributes • queue size i • availability of IP FIB specialized Forwarding function

  16. Rule Forwarding Mechanism Rule Forwarding Mechanism Rules cannot cast ng Cachin Multic S IDS modify router … attributes Examples: Rule Router • router’s address Forwarding Attributes • queue size i • availability of IP FIB specialized Forwarding function

  17. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS … Rule Router Forwarding Attributes IP FIB • 5 tuple Forwarding • A bit • Arbitrary semantics ti ( e.g., middlebox was visited) Rule Attributes 1 Payload

  18. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS … Rules can modify packet Rule Router Forwarding Attributes attributes IP FIB • 5 tuple Forwarding • A bit • Arbitrary semantics ti ( e.g., middlebox was visited) Rule Attributes 1 Payload

  19. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS … Rule Router Rule Forwarding Attributes Attributes 1 Payload IP FIB Forwarding

  20. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule Forwarding Attributes Attributes 1 Attributes 2 Payload IP FIB Forwarding

  21. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule Forwarding Attributes Attributes 2 Payload IP FIB Forwarding Example: if(router.congestion > pkt.max_congestion) pkt.max_congestion = router.congestion sendto D

  22. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload IP FIB Forwarding

  23. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload IP FIB Forwarding Example: if(pkt.source != S) drop sendto D

  24. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload 3. Forward IP FIB Forwarding Rule Attributes 2 Payload

  25. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload 3. Forward IP FIB Forwarding Example: sendto D Rule Attributes 2 Payload

  26. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload 3. Forward IP FIB Forwarding 4. Invoke

  27. Rule Forwarding Mechanism Rule Forwarding Mechanism cast ng Cachin Multic S IDS Rule can: … 1. Modify packet attributes attributes Rule Router Rule 2. Drop packet Forwarding Attributes Attributes 2 Payload 3. Forward IP FIB Forwarding 4. Invoke Example: if(router.has_caching == TRUE) invoke CachingFunc sendto D

  28. RBF Mechanism RBF Mechanism – Rule Lease Rule Lease � Each rule has an associated lease period � Routers drop expired rules

  29. Examples Examples – Waypoint Waypoint R_D: “Go to R1 before reaching D” Go to R1 before reaching D R1 S D

  30. Examples Examples – Waypoint Waypoint R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) sendto R1 else packet.been to R1 = 1 else packet.been_to_R1 1 if(packet.been_to_R1 == 1) sendto D R1 S D

  31. Examples Examples – Waypoint Waypoint Packet attribute indicating R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) whether packet has visited R1 h h k h i i d R1 if(router.address != R1) sendto R1 else packet.been to R1 = 1 else packet.been_to_R1 1 if(packet.been_to_R1 == 1) sendto D R1 S R_D been_to_R1 = 0 D

  32. Examples Examples – Waypoint Waypoint R_D: Before waypoint R1 if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) sendto R1 else packet.been to R1 = 1 else packet.been_to_R1 1 if(packet.been_to_R1 == 1) sendto D R1 S R_D been_to_R1 = 0 D

  33. Examples Examples – Waypoint Waypoint R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) At the waypoint sendto R1 else packet.been to R1 = 1 else packet.been_to_R1 1 if(packet.been_to_R1 == 1) sendto D R1 R_D been_to_R1 = 1 S D

  34. Examples Examples – Waypoint Waypoint R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) sendto R1 After the waypoint After the waypoint else packet.been_to_R1 1 else packet.been to R1 = 1 if(packet.been_to_R1 == 1) sendto D R1 S R_D been_to_R1 = 1 D

  35. Examples Examples – Middlebox Middlebox R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) sendto R1 else else packet.been_to_R1 = 1 Addition to the waypoint rule invoke IDS_func if(packet.been_to_R1 == 1) (p _ _ ) sendto D R1 – IDS functionality S D

  36. Examples Examples – Secure Middlebox Secure Middlebox R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) Malicious user could set sendto R1 else else the packet attributes the packet attributes packet.been_to_R1 = 1 so that packet appears to invoke IDS_func have visited the middlebox if(packet.been_to_R1 == 1) (p _ _ ) sendto D R1 S D R_D been_to_R1 = 1 _ _ _

  37. Examples Examples – Secure Middlebox (1) Secure Middlebox (1) R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) sendto R1 else else Allow only packets from packet.been_to_R1 = 1 packet.source = R1 R1 when state equals 1 invoke IDS_func _ if(packet.been_to_R1 == 1) Anti-spoofing does not allow if(packet.source == R1) spoofing the source attribute sendto D

  38. Examples Examples – Secure Middlebox (2) Secure Middlebox (2) R_D: if(packet been to R1 == 0) if(packet.been_to_R1 == 0) if(router.address != R1) Invoke functionality to sendto R1 else else (cryptographically) prove (cryptographically) prove packet.been_to_R1 = 1 packet visited middlebox invoke Crypto_proof if(packet.been_to_R1 == 1) (p _ _ ) packet. been_to_R1 = 2 Invoke functionality to verify invoke IDS_func if(packet.been_to_R1 == 2) the middlebox proofs at D p if(router.address != D) sendto D else i invoke Verify_and_Deliver k V if d D li

  39. Examples Examples – Conditioned Middlebox Conditioned Middlebox R_D: if(packet dest port == 80) if(packet.dest_port == 80) sendto D Use the Middlebox else only for packets not only for packets not // Middlebox rule // Middlebox rule ... destined to port 80 IDS P Port != 80 ! 80 S D Port = 80

  40. Examples Examples – DoS protection DoS protection � Create “capability-like rules”, e.g., for a client with address S R_S_D: if(packet.source != S) drop drop sendto D

  41. Examples Examples – DoS protection DoS protection � Create “capability-like rules”, e.g., for a client with address S R_S_D: if(packet.source != S) drop drop sendto D � D can control number of simultaneous clients by controlling y g number of authorized rules (a rule for each client)

  42. Examples Examples – DoS protection DoS protection � Create “capability-like rules”, e.g., for a client with address S R_S_D: if(packet.source != S) drop drop sendto D � D can control number of simultaneous clients by controlling y g number of authorized rules (a rule for each client) � Need to grant rules on demand Need to grant rules on demand � Dynamic (vs. static DNS) � Provision this service against DDoS (denial of rule) g � DNS redirects to third parties providing this service

  43. RBF Examples RBF Examples � Filter ports/prefixes – only receive specific traffic � P t t � Protect against DoS attacks i t D S tt k � Mobility � Middleboxes � Secure loose path forwarding – select provider, reliability � Multiple paths � Anycast � Anycast � Record path state – network probing, ECN, path identifier � On-path redirection – Delay Tolerant Networks � Use on-path router functions deployed by ISPs – Multicast, caching, WAN optimizers, content-routing, energy efficiency � ...

  44. Rule Properties Rule Properties Flexible 1.

  45. Rule Properties Rule Properties Flexible 1. � Rules enable endpoints to: Block unwanted packets in the network a) Control path selection using waypoints p g yp b) ) Use router state in forwarding decisions and record this state c) Use specialized functions at middleboxes and routers, if available d)

  46. Rule Properties Rule Properties Flexible 1. Policy Compliant 2.

  47. Rule Properties Rule Properties Flexible 1. Policy Compliant 2. � Rules are certified by trusted entities – Rule Certifying Entities (RCEs) (RCEs) � Rules are above routing-controlled layer – IP � Route discovery and computation fully controlled by ISPs

  48. Rule Properties Rule Properties Flexible 1. Policy Compliant 2. Safe 3.

  49. Rule Properties Rule Properties Flexible 1. Policy Compliant 2. Safe 3. � Bounded forwarding time � No loops, only comparison operations, cannot modify payload � Cannot modify router state Cannot modify router state � Cannot amplify traffic � No network loops (static analysis), cannot replicate packets � Invoked functions are fully controlled by ISPs/Mbox owners � Resource isolation and access control to prevent attacks � Rules merely offer a (policy compliant) mechanism to use them y (p y p )

  50. Related Work Related Work Flexibility 1. Policy-Compliance 2. Some of each 3.

  51. Related Work Related Work Flexibility 1. � Active Networks, ESP , Overlays ( e.g., i3, DOA), Loose path forwarding, DTN, Mobility ( e.g., Mobile IP , HIP), Multiple paths ( e.g., MIRO), etc. p ( g , O), � Rules vs. Active Networks: � Forwarding directives vs. programs � Safe and statically analyzable � Policy-compliance for multiple-parties � Allow invoking ISP deployed functions for processing

  52. Related Work Related Work Flexibility 1. Policy-Compliance 2. � In-network filters (PushBack, AITF, StopIt, PredicateRouting, Off by default) Network Capabilities (TVA SIFF) Off-by-default), Network Capabilities (TVA, SIFF) � RBF: � Adds flexibility � Adds multi-party policy compliance

  53. Related Work Related Work Flexibility 1. Policy-Compliance 2. Some of each 3. � E.g. Platypus, NUTSS, ICING enable policy-compliant source routing � RBF: RBF: � Generalizes flexibility � Enables richer policies based on entire forwarding behavior

  54. Outline Outline � Motivation & Solution Overview � Rule-Based Forwarding Architecture – Overview � Rule Forwarding Mechanism & Examples � Evaluation

  55. Evaluation Evaluation – Questions Questions � Size overhead of rules � Forwarding overhead � Fast path (no rule verification) p ( ) � Slow path (involves rule verification) � Performance isolation between invoked functions and forwarding � P f i l ti b t i k d f ti d f di � Load on RCEs � Security analysis

  56. Evaluation Evaluation – Questions Questions � Size overhead of rules � Forwarding overhead � Fast path (no rule verification) p ( ) � Slow path (involves rule verification) � Performance isolation between invoked functions and forwarding � P f i l ti b t i k d f ti d f di � Load on RCEs � Security analysis

  57. Evaluation Evaluation – Rule Sizes Rule Sizes 140 Rule Encoding Rule Encoding Control Control Signature Signature 120 100 80 es Byte 60 40 20 20 0

  58. Evaluation Evaluation – Rule Sizes Rule Sizes 140 Rule Encoding Rule Encoding Control Control Signature Signature 120 100 80 es Byte 60 40 O Overhead of one rule is ~60-140 bytes h d f l i ~60 140 b t 20 20 0

  59. Evaluation Evaluation – Rule Sizes Rule Sizes 140 Rule Encoding Rule Encoding Control Control Signature Signature 120 100 80 es Byte 60 40 A Average 85 bytes: 13% average Internet packet (630B) 85 b t 13% I t t k t (630B) 20 20 0

  60. Evaluation Evaluation – Rule Sizes Rule Sizes 140 Rule Encoding Rule Encoding Control Control Signature Signature 120 100 80 es Byte 60 40 Average 85 bytes: 13% average Internet packet (630B) A 85 b t 13% I t t k t (630B) 20 20 0 27% if using RSA signatures

  61. Evaluation Evaluation – Prototype RBF Router Prototype RBF Router � Software router on top of RouteBricks [SOSP 2009] � 8 core Nehalem ser er 2 dual port NICs � 8 core Nehalem server, 2 dual-port NICs � Example router setup: Kernel Kernel User level ast ast IP IP IP IP all all ng ng Multica Multica Cachin Cacnin RBF + I RBF + I RBF + I RBF + I Firewa Firewa IDS IDS controller controller Memory Memory Cache Cache Cache Cache Socket 0 Socket 1 CPU Cores

  62. Evaluation Evaluation – Forwarding Using Rules Forwarding Using Rules � No signature verification, using all 8 cores RBF over RouteBricks RouteBricks alone 40 35 30 ps Gbp 25 20 15 10 5 0

  63. Evaluation Evaluation – Forwarding Using Rules Forwarding Using Rules RBF over RouteBricks RouteBricks alone 40 35 30 ps Gbp 25 20 15 10 5 Rule forwarding incurs little overhead on Routebricks 0

Recommend


More recommend