Efficient and Secure Source Authenticationwith Packet Passports

Xin Liu (UC Irvine)Xiaowei Yang (UC Irvine)

David Wetherall (Univ. of Washington)Thomas Anderson (Univ. of Washington)

Outline

Motivation Design

High-Level Idea Challenges and Solutions

Feasibility Analysis Related Work Summary

Denial-of-Service (DoS)Flooding Attack

Victim

This type of attack is prevailing Yahoo was knocked down in Feb 2000 Online extortion

General Approachesto Combat DoS Flooding Attacks Preventive

Prevent DoS attacks from happening Capability System [Anderson03, Yarr04, Yang05] Ticket System [Patel97]

Reactive Eliminate DoS attacks after they cause damage

Filtering

Our next step is to compare the two and pick the winner

Filtering is Difficult

Filtering!

Filtering!

Filtering By default, all traffic is allowed to pass Victim requests to install filters to remove attack traffic

Challenges Installing filters close to the attack sources Describing attack traffic in filter description

Any field of a packet can be forged, including source IP address

Authentic Source Identifier can Help

Advantages Showing where a packet comes from Serving as a traffic descriptor in filters

Source IP address is not verifiable Cannot be trusted unless spoofing is totally eliminated

Routers may be compromised

Filter: SrcID=X

Filter: SrcID=Y

SrcID=X

SrcID=Y

Outline

Motivation Design

High-Level Idea Challenges and Solutions

Feasibility Analysis Related Work Summary

Our Solution: Packet Passport System

IP Header Passport Payload

IP Packet

Goal of a passport: providing an authentic source identifier that routers can verify independently at packet forwarding time

Requirements

A passport must be: Unforgeable Efficient to generate and verify

Digital signature: computationally expensive

The packet passport system must: Bootstrap with minimum out-of-band

communication Be robust against DoS attacks

High Level Idea

K(A,R)K(A,B)

K(A,R)K(R,B)

K(A,B)K(R,B)

IP Packet

RMACR

BMACB

A

Passport

IP Packet

RMACR

BMACB

A

Passport

IP Packet

RMACR

BMACB

A

Passport

A BR

MACR=MACK(A,R)(A, R, B, SrcIP, DstIP, …)

MAC: Message Authentication CodeK(X,Y): Symmetric key shared between two nodes X and Y

Source Identifier

Challenges

Scalability Too many keys Path in passport too long

How to establish secret keys Bootstrapping key distribution messages can

not contain passports Key distribution messages may be dropped

due to DoS attacks

Packets with valid passports may be replayed to launch DoS attacks

Two-Level Hierarchy for Scalability

Intra-domainIdentifier

AS2

MAC2

AS3

MAC3

AS1

Passport

Intra-domainIdentifier

Passport

K(AS1,AS2)K(AS1,AS3)

AS1

K(AS1,AS2)K(AS2,AS3)

K(AS1,AS3)K(AS2,AS3)

AS2 AS3

R1

R2 R3

R4

R5

R6

A B

Limitation of Two-Level Hierarchy

Only the source domain can verify intra-domain identifiers Filters may not be effective when source

domain forges arbitrary intra-domain identifiers Counter-measure: blocking the source domain

Implementation of Intra-domain Identifier is Flexible Each domain can implement intra-domain

identifier in its own way Source IP address (if source spoofing is

prevented inside a domain) Message authentication code

Key Distribution via BGP

pgd iAS

i

r

AS modpdpdASASK ASAS r

AS

r

AS modmod),( 1

2

2

121

AS1

AS2

10.1.0.0/16

10.2.0.0/16

eBGP

eBGP

10.1.0.0/161ASd

Prefix Announcement 1

10.2.0.0/162ASd

Prefix Announcement 2

1ASr

2ASr

Diffie-Hellman Key Exchange

Benefits of Key Distribution via BGP

Allowing key distribution to bootstrap eBGP session between adjacent domains can

be authenticated without passports [RFC3682]

Robust against DoS flooding attack BGP is a closed system: BGP traffic can get

higher priority

Supporting incremental deployment can be carried in optional and transitive

path attributeiASd

Securing Key Distribution

is signed with ASi’s private key

ASi’s public key is distributed like

ASi’s public key is bound to ASi using the same mechanism that binds a prefix to a domain Reusing the PKI that secures routing: public

key certification by CAs

iASd

iASd

Preventing Replay Attack

Problem: attack traffic cannot be cut off Why replay attack prevention is difficult?

Timestamp: time synchronization between domains Sequence number: synchronization inside a domain

Our Solution Bloom Filter + Fast Re-keying

ABCompromised

Router

Too much traffic from A! Block him!

Bloom Filter to Detect Duplication

AS4AS3AS2AS1

ID=100 ID=100 ID=100

Bloom Filter

AS1,100

ID=100

ID=100

Limitation: a bloom filter cannot remember a passport for a long time 16Mb SRAM can “remember” 2.5Gbps traffic for 5

seconds with a false positive rate of 5.7×10-6

Hash chain

Fast Re-keying

K(AS1,AS2)

K1(AS1,AS2)

K200(AS1,AS2)

K1000 (AS1,AS2)

AS1 AS2 AS3

AS4

……

KeyIdx=200 KeyIdx=200

KeyIdx=100

KeyIdx=100

200

Km(AS1,AS2)=HASHm(K(AS1,AS2))

Passport Verification Process

Receivea packet

KeyIdxtoo large? MAC valid? Duplicate?

Forwardthe packet

Discard/demotethe packet

Yes

No

No

Yes

Yes

No

Supporting Incremental Deployment

Key distribution messages are wrapped in optional and transitive path attributes in prefix announcements

Passport can be implemented as a shim layer

AS path in a passport only includes those that have deployed packet passport system

AS1

Incentives for Early Adoption

No domains can spoof AS1’s source identifier at AS2

AS2 can filter DoS attack traffic from AS1

AS1 can locate attack sources within itself

AS2

PassportEnabled

PassportEnabled

AS3

Other Applications

Fair resource allocation Restricting/eliminating reflector attacks Deterring future attacks

Feasibility Analysis

Practical with today’s hardware technology

Passport generation and validation: with UMAC, a commodity PC can generate 975K passports and verify 3.9M passports per second

Key distribution: computation, communication and storage cost almost negligible

Bloom filter: 16Mb SRAM can “remember” 2.5Gbps traffic for 5 seconds with a false positive rate of 5.7×10-6

Related Work

Our key advantage: stronger authentication Source address validation: Ingress/egress filtering,

reverse path filtering, SAVE [Li02] Source address not verifiable

Path as the identifier: Path Identifier [Yaar03], Active Internet Traffic Filtering [Argyraki05] First portion of the path spoofable

Authenticated Marking Scheme [Song01] Not verifiable at packet forwarding time

Spoofing Prevention Method [Bremler-Barr05] Secret in plain text; secret distribution problematic

TVA [Yang05], Ticket System [Patel97], Visa Protocol [Estrin89] Request channel vulnerable

Summary

A packet passport efficiently and securely authenticates the source of a packet.

The system is incrementally deployable with incentives for early adoption.

The system is practical with today’s hardware technology.

Future Work Improvement to replay attack prevention Design and implementation of an automatic

filtering system

Packet Passport Format