1 / 14

NPLA: Network Prefix Level Authentication

NPLA: Network Prefix Level Authentication. Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China. Structure. Motivation Objective Architecture overview Implementation Overhead Conclusion and future work.

dewei
Download Presentation

NPLA: Network Prefix Level Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China

  2. Structure • Motivation • Objective • Architecture overview • Implementation • Overhead • Conclusion and future work GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  3. Motivation • IP addresses spoofing • Lack of accountability • DoS, vulnerability scanning,... • Ruin noval applications in practice • ... GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  4. Objective • Our Goal • Provide packet level authentication on the Internet • Basic Approach • Digital signatures on packets GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  5. Objective • Accountability is the responsibility for one’s actions • Link actions to their actors • Punish misbehavior • Packet Authentication • Eliminate/mitigate source spoofing based attacks • Target for existing Internet not clean slate solution GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  6. Architecture overview (NPLA) GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  7. Implementation • How to implement if we intend to for partial deployment in today’s Internet • What kind of key • Which protocol layer • Signature size • Crypt. security • Key distribution • Granularity • Inject/verify entities • Interact with legacy entities • Host, router, NAT, prefix aggregation... • Overhead • Effectiveness GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  8. Requirements->Implementation • Strong identitifier/on route entities could verify the packets -> key type • Asymmetric key • Compatibility -> protocol layer • Shim layer between IP and TCP GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  9. Requirements->Implementation... • Key distribution • Public key infrastructure (PKI) • Routing protocols (BGP) • Offline • Signature size and security • ECC public key cryptography algorithm • Security: 163-bit ECC key = 1024-bit RSA key GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  10. Requirements->Implementation... • Security level/key management overhead -> authentication granularity • Host/personal level • Network prefix level (intra-domain) • AS level (inter-domain) • Signature injection and verification entities • Prefix border router • AS border router GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  11. Requirements->Implementation • Partial/incremental deployment, interact with legacy entities • Legacy host (strip off before arriving) • Router (compatible) • NAT (update) • Prefix aggregation (known to the administrator) • Incentive deployment • IP fragmentation GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  12. Overhead and performance • The overhead must be affordable • Computation overhead (FPGA crypt hardware) • Generate 645K/s and verify 283K/s signatures • Generate 3.8G/s and 1.7G/s traffic • Traffic overhead (%6-10%) • Memory overhead • 13MB for prefix level authentication GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  13. Overhead and Performance • Delay • ~16us per generation • ~24us per verification GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

  14. Conclusion and Future Work • Authenticate packets to its claimed network prefix • Implementation challenges • How to make it work in practice? • Future work • Implementation in real networks GlobeCom'10 Workshop on FutureNet, Miami, Florida, USA

More Related