430 likes | 573 Views
SAVE: Source Address Validity Enforcement Protocol. Authors: Li, Mirkovic, Wang, Reiher, Zhang Presented By: Michael Pincott Date: 07/22/2003. Outline. Introduction Design Principles SAVE Protocol SAVE Update SAVE Protocol Architecture Data Structures SAVE Updates
E N D
SAVE: Source Address Validity Enforcement Protocol Authors: Li, Mirkovic, Wang, Reiher, Zhang Presented By: Michael Pincott Date: 07/22/2003
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
SAVE: Introduction • IPs Must Carry Correct Source Address • Forging of IP source address allows: • Anonymity • DDoS Attacks • TCP SYN Floods • Smurf Attacks
SAVE: Introduction • Existing Methods of Handling Forged IPs: • Tracing back the source of the attack with the help of system administrators. • Ingress Filtering • Filtering forged packets on basis of forwarding table • Using cryptographic authentication
SAVE: Introduction • Solution: • Build reliable router tables specifying the allowable incoming source address on incoming connections. • Run on individual routers.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
Design Principles • SAVE Protocol: • Routing Protocol Independence • Immediate Response to Routing Changes • Security • Incremental Deployment • Low Overhead
Design Principles • SAVE Updates: • End-to-End Communication • Aggregation of SAVE Updates • Minimize Duplication
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
SAVE Protocol • Build router tables that specify valid source addresses on incoming interfaces. • SAVE updates are then sent to routers downstream so they can build tables listing valid source address that can come from these incoming interfaces. • SAVE updates consist or three fields – destination address space, address space vector, appendable flag.
SAVE Protocol • Example – Save Updates: • Router B forwards packets from a network that have the source addresses of 131.192.0.0/16 and sends this data to router A. • Router A is connected to routers R and r through interface 1 and 2. • Router A forwards the SAVE information through interfaces 1 and 2 to routers R and r.
SAVE Protocol • Example – Routing Changes: • (b) Router A keeps lists of the source addresses it expects to receive on each incoming interface. • Link DB goes down. • (c) Save Updates inform router A to expect valid source addresses on different interfaces.
SAVE Protocol • Example – Routing Changes and Incoming Tree Updates: • (a) Router A has a tree listing all the valid source addresses arriving at each interface. • Link DB goes down. • (b) Tree is updates to show the change in network topology due to link DB’s failure.
SAVE Protocol • Tree Attributes: • Tree is constructed through SAVE updates. • Tree nodes represent specific source address spaces. • Child nodes inherit the same incoming interface as their parent.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
SAVE Updates • Updates consist of: <destination space = D, ASV (address space vector) = <Sr>, appendable = true/false> • Destination Space is the final destination address of this SAVE update • Address Space Vector records source address spaces on the path the SAVE update has traversed in route to the destination. • Appendable is a flag that allows routers in route to the destination to update with ASR with more information. • Updates are encapsulated inside the IP datagram whose destination is randomly chosen from D.
SAVE Updates • SAVE updates in route to the destination will go through other SAVE routers. Each intermediate routers updates its SAVE tree based on the source addresses in the ASV field of the SAVE update. • If the appendable flag is a true, the intermediate SAVE router can update and append values in the ASV field.
SAVE Updates • SAVE Update Processing: • When a router receives a SAVE Update it must perform some processing to maintain its tree. • Records the path that the SAVE update have traversed. • Assures the SAVE update follows the same path to the destination as the data packet.
SAVE Updates • ASV Maintenance: • If a router initiates a SAVE update to a destination router that has the same destination as another SAVE update that was just transmitted, the appendable flag can be set to false as there is no need to resend redundant data. • Downstream routers can still read the ASV field but can not append to it.
SAVE Updates • SAVE Update Forwarding: • SAVE Updates are sent to all routers in its IP forwarding tables. • In cases where there are multiple forwarding points going to the same destination, SAVE duplicates SAVE updates and forwards SAVE updates to the multiple forwarding points.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
Security • Securing SAVE is similar to securing routing protocols. • SAVE Updates should be exchanged between routers and not hosts. • Attackers would have to compromise routers to mount attacks on SAVE. • Routers should establish trust relationships prior to SAVE Update exchanges. • SAVE Updates should be signed or encrypted. • Processing of SAVE Updates should require minimal overhead to prevent against DoS attacks.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
Simulation • Goals: • Test if all spoofed packets can be detected and dropped. • Test if valid packets are accidentally dropped. • Test transient behavior of SAVE. • Determine the cost of SAVE in terms of overhead.
Simulation • Simulation Details: • Custom simulation environment utilized. • SAVE is run in addition to routing protocols. • Inter and Intra domain connectivity tested with the use of the transit-stub topology generator from GT-ITM. • BGP used for inter-domain routing and RIP used for intra-domain routing.
Simulation • Effectiveness: • Three packet sources simulated. • Each packet source generates valid and spoofed packets using independent Poisson processes. • Numerous scenarios with different topologies tested. • Only spoofed packets shows in Figure 5. • Results show that SAVE catches and drops all spoofed packets.
Simulation • Transient Behavior: • Occurs when a new route to a destination is established. SAVE trees need time to be built and propagated through the network via SAVE Updates. • Assumption is that the propagation delay of save is equal to that of a valid packet. • If data packets are sent while SAVE Update is still being generated due to forwarding router changes, invalid datagram packets may reach destination before SAVE Update. Datagram packets may be valid using the obsolete incoming information. • SAVE may process a valid packet as a spoofed packet if a packet is received at a router before the incoming trees and tables are fully built. • Experiments (not described in text) show no filtering drop of valid packets due to routing changes.
Simulation • Cost (Bandwidth Used): • Measured bandwidth and storage require for SAVE versus routing protocols (RIP, BGP). • Incoming SAVE tables can be minimized by finding by leveraging symmetries in network routing. • Minimization compares the valid incoming interfaces for a specific address space against the outgoing interface. • Level of minimization depends on the degree of symmetry in the network. • For single domain topologies, bandwidth used is 3.2Kbps to 6.9Kbps. • For multiple domain topologies, bandwidth used is 0.6Kbps to 6.4Kbps.
Simulation • Cost (Bandwidth used in random link failure simulations): • Simulations compare the bandwidth cost of SAVE versus BGP and RIP in a simulation where random link failure in introduced. • Specific topologies tested with 90 and 97 links • Costs for SAVE and the other routing protocols varies depending on severity of link failure. • In general, SAVE costs less in a random link failure model than the routing protocols. • SAVE Updates are not always triggered in link failure as some forwarding tables are not bothered. This leads to less bandwidth used.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix
Deployment • Deployment: • SAVE must be effective even when partially deployed. • Packets from a source address through a legacy router that is not verified through SAVE can be flagged for suspicion. • Deploying SAVE in a regional router protects the region from a type of TCP SYN attack where a victim’s source address is spoofed and if then flooded with SYN-ACK responses. • Regional SAVE deployment limits the number of spoofable addresses. • Purdue’s research of distributed packet filtering is complementary to SAVE and shows that even partial deployment decreases chances of malicious attacks.
Deployment • Mobile IP and Tunnelling: • Mobile hosts carry their home IP address. SAVE rejects the mobile host if outside its home network. • Reverse tunnelling technique can also work for SAVE. Return packets are sent to home network then forwarded to the mobile host. • IPv6 has a “care-of address” which solves this problem. • In IP Tunnelling, a packets source address is buried inside a wrapping IP header. SAVE must be able to look inside the packet to find the true source address. • Known tunnel end points can have special SAVE Updates.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions
Conclusion • SAVE allows for network security without computationally expensive cryptography. • SAVE utilizes the construction of tables and trees to disallow the use of spoofed IPs with no more complexity than that already implemented by routing protocols. • SAVE can help defend against DoS and DDoS attacks currently plaguing the Internet.
Outline • Introduction • Design Principles • SAVE Protocol • SAVE Update • SAVE Protocol • Architecture • Data Structures • SAVE Updates • Generation • Tree Updates • Processing • Maintenance • Forwarding • Security • Simulation • Deployment • Conclusions • Appendix