An Internet Architecture for the 21st Century Adrian Perrig - - PDF document

an internet architecture for the 21st century
SMART_READER_LITE
LIVE PREVIEW

An Internet Architecture for the 21st Century Adrian Perrig - - PDF document

Sep 06, 2022 154 likes •556 views

An Internet Architecture for the 21st Century Adrian Perrig Network Security Group, ETH Zrich monumental structure stood the test of time & seems immutable 2 Just like todays Internet ? Can we fix its issues, though?

slide-1
SLIDE 1

An Internet Architecture for the 21st Century

Adrian Perrig Network Security Group, ETH Zürich

slide-2
SLIDE 2

2

stood the test of time

monumental

structure

seems immutable

&

slide-3
SLIDE 3

Just like today’s Internet ?

3

Trust Control Transparency Availability

Can we fix its issues, though?

slide-4
SLIDE 4

Problem 1: Non-Scalability of Trust

4

Trust Control Transparency Availability

slide-5
SLIDE 5

Pervasive Trust in Early Internet

“ There were only two other Dannys on the Internet then.
 I knew them both. We didn't all know each other,
 but we all kind of trusted each other, and
 that basic feeling of trust permeated the whole network.” – Danny Hillis, about the Internet in the early 1980s,


TED talk, Feb 2013.

5

slide-6
SLIDE 6

Non-Scalability of Trust

▪ As the Internet has grown to encompass a large part of the global population, not everyone trusts everyone else on the Internet anymore ▪ The heterogeneity of global environment complicates entity authentication infrastructures

  • Relevant in this context: authentication of


routing updates, DNS replies, TLS certificates

▪ Two models for trust roots for authentication

  • Monopoly model
  • Oligarchy model

6

slide-7
SLIDE 7

Monopoly Model for Trust Root

▪ Single root of trust (i.e., root public key)
 that is globally accepted to authenticate entities ▪ Examples: RPKI for BGPSEC or DNSSEC rely on
 a public key that forms root of trust

  • All AS certificates or DNS records are


authenticated based on that root of trust

▪ Problems

  • Entire world needs to agree on

  • ne entity to hold root of trust
  • Single point of failure
  • Inefficient revocation / update

7

slide-8
SLIDE 8

Oligarchy Model for Trust Root

▪ Numerous roots of trust
 that are globally accepted to validate entities ▪ Example: TLS PKI relies on > 1000 roots of trust

  • TLS certificate accepted if signed by any root of trust

▪ Problems

  • Single point of failure: any single


compromised root of trust can
 create any bogus TLS certificate

  • Revocation/updates are handled


through OS or browser update

8

slide-9
SLIDE 9

Global Trust leads to Kill Switch

▪ Current Internet has several “Kill Switches” ▪ BGP: BGP hijacking ▪ DNS: TLD redirection ▪ BGPSEC: AS key revocation ▪ DNSSEC: TLD key revocation ▪ Can we design networks without kill switch?

9

slide-10
SLIDE 10

Proposed Approach: Isolation Domains ▪ Observation: subset of the Internet can agree on roots of trust
 form Isolation Domain (ISD) with that particular root of trust ▪ Authenticate entities (only) within each Isolation Domain ▪ Users & domains can select ISD based on root of trust ▪ Also supports modern log-based PKI
 approaches: CT, AKI, ARPKI, … ▪ Challenge: retain global
 verifiability

10

slide-11
SLIDE 11

Problem 2: Control

11

Control Transparency Availability

slide-12
SLIDE 12

Aspects of Control

▪ We discuss here two aspects of control ▪ Path control ▪ Bandwidth control (DDoS attack defense)

12

slide-13
SLIDE 13

Who controls Internet Paths?

▪ Current Internet offers limited control of paths ▪ Paths can be hijacked and redirected

13

slide-14
SLIDE 14

Who should control Paths?

▪ Clearly, ISPs need some amount of path control
 to enact their policies. ▪ How much path control should end points (sender and receiver) have?

  • Control is a tricky issue … how to empower end points

without providing too much control?

No Endpoint Control Complete Endpoint Control Limited Endpoint Control

slide-15
SLIDE 15

Absence of Bandwidth Control

▪ Today: no way to turn off malicious sender who floods victim with traffic ▪ Attackers use large botnets to send unwanted traffic to victims ▪ Amplification attacks further increase traffic volume ▪ N2 attacks will be used in the future to evade all current DDoS defenses

15

slide-16
SLIDE 16

Problem 3: Transparency

16

Transparency Availability

slide-17
SLIDE 17

Transparency: Internet Paths

▪ Today, sender cannot obtain guarantee that packet will travel along intended path ▪ Impossible to gain assurance of packet path

  • Because router forwarding state can be inconsistent

with routing messages sent

17

slide-18
SLIDE 18

Proposed Approach: Packet-Carried State

▪ Packets carrying forwarding information provides path transparency

  • Note: orthogonal issue to path control, as network

can still define permitted paths

slide-19
SLIDE 19

Problem 4: Availability

19

Availability

slide-20
SLIDE 20

Poor Availability

▪ Well-connected entity: 99.9% availability
 (86 s/day unavailability)


[Katz-Bassett et al., Sigcomm 2012]

▪ Numerous short-lived outages due to BGP route changes

  • Route convergence delays

▪ Outages due to misconfigurations ▪ Outages due to attacks

  • E.g., prefix hijacking, DDoS

20

slide-21
SLIDE 21

Is a 10s Outage per Day Harmful?

▪ 99.99% reliability average 8.6 s/day outage

  • Level of availability achieved by Amazon datacenter

▪ Insufficient for many applications

  • Critical infrastructure command and control

▪ E.g., air traffic control, smart grid control

  • Internet-based business
  • Financial trading / transactions
  • Telemedicine

21

slide-22
SLIDE 22

SCION Project

▪ Scalability, Control, and Isolation On Next-Generation Networks

[IEEE S&P 2011, CCS 2015, NDSS 2016]

▪ Current main team: Daniele Asoni, David Barrera,


Chen Chen, Laurent Chuat, Sam Hitz, Jason Lee, Tae-Ho Lee,
 Steve Matsumoto, Chris Pappas, Adrian Perrig, Raphael Reischuk, Stephen Shirley, Pawel Szalachowski, Brian Trammell, Ercan Ucan

22

slide-23
SLIDE 23

SCION Architectural Design Goals

▪ High availability, even for networks with malicious parties

  • Adversary: access to management plane of router
  • Communication should be available if adversary-free path exists

▪ Secure entity authentication
 that scales to global heterogeneous (dis)trusted environment ▪ Flexible trust: operate in heterogeneous trust environment ▪ Transparent operation: Clear what is happening to packets and whom needs to be relied upon for operation ▪ Balanced control
 among ISPs, Senders, and Receiver ▪ Scalability, efficiency, flexibility

23

slide-24
SLIDE 24

SCION Isolation Domain (ISD)

▪ SCION Isolation Domain requirements

  • Region that can agree on a common root of trust
  • groups a number of ASes
  • Set of ISPs to operate Isolation Domain Core to manage ISD

▪ Certificates for roots of trust ▪ Manage core path and beacon servers

  • Other ISDs need to agree to connect as peer or as provider

▪ Open research issue how to best structure ISDs:

▪ political and legal issues arise ▪ Possible partition is along geographical regions

24

slide-25
SLIDE 25

SCION Isolation Domain (ISD)

▪ SCION Isolation Domain composition

  • ISD Core with ISD Core ASes
  • Other ISP ASes or end-domain ASes

ISD Core

TD1 Core ISD Core

slide-26
SLIDE 26

Beaconing for Route Discovery

▪ Periodic Path Construction Beacon (PCBs)

  • Scalable and secure dissemination of


path/topological information from core to edge

  • Policy-constrained multi-path flood


to provide multiple paths

TD1 Core

slide-27
SLIDE 27

SCION Forwarding (Data Plane)

▪ Domains register paths at DNS-like server in ISD Core ▪ End-to-end communication

  • Source fetches destination paths
  • Source path + destination path end-to-end path
  • Packet contains forwarding information

▪ Advantages

  • Isolates forwarding from routing
  • No forwarding table at routers
  • Path transparency
  • Balanced route control

TD1 Core

path server

slide-28
SLIDE 28

Path Construction and Usage

▪ Path Construction Beacon (PCB) construction:
 PCB1 = < Texp Int1 OF1 S1 >
 Opaque field OF1 = Int1 MACK( Texp Int1 )
 Signature S1 = { PCB1 }K’ ▪ PCB2 = < Texp Int1 OF1 S1 Int2 Int3 OF2 S2 >
 Opaque field OF2 = Int2 Int3 MACK( Texp Int2 Int3 OF1)
 Signature S2 = { PCB2 }K’ ▪ AS receiving PCB2:

  • Verify signatures
  • Use opaque fields O1 O2 to send packet to ISD Core

28

TD1

Int1 Int2 Int3

slide-29
SLIDE 29

ISD1 Core ISD1 Core

ISD 3 Core ISD Core Interconnect

Inter-ISD Communication

A E H B F I C D

PS1 PS3

ISD 4 Core ISD2 Core G

slide-30
SLIDE 30

ISD2 Core

ISD1 Core ISD1 Core

ISD 3 Core

Peer

ISD Core Interconnect

Shortcuts through Peering Links

A G E H B F I C D

P e e r

ISD 4 Core

slide-31
SLIDE 31

Handling Link Failures

▪ SCION clients use multi-path communication by default, other paths are likely to still function ▪ Path construction beacons are constantly sent, disseminating new functioning paths ▪ Link withdrawal message sent …

  • … upstream to cause path servers to remove paths

with broken link

  • … downstream to cause beacon servers to remove

paths with broken link

31

slide-32
SLIDE 32

SCION Extensions

32

Faultprints OPT DRKey DENA Multi-path Communication HORNET SAINT FAIR SIBRA APNA ARPKI RainCheck

slide-33
SLIDE 33

SCION Summary

▪ Complete re-design of network architecture
 resolves numerous fundamental problems

  • BGP protocol convergence issues
  • Separation of control and data planes
  • Isolation of mutually untrusted control planes
  • Path control by senders and receivers
  • Simpler routers (no forwarding tables)
  • Root of trust selectable by each ISD

▪ An isolation architecture for the control plane,
 but a transparency architecture for the data plane.

33

slide-34
SLIDE 34

Outline: Remainder of Talk

▪ Current implementation status ▪ Demos ▪ Efficient forwarding ▪ Multi-path communication ▪ Browser-level path control ▪ Use cases

34

slide-35
SLIDE 35

SCION Implementation Status

▪ V1.0 specification almost completed ▪ 3rd generation C/C++ implementation ▪ 4th generation: Python implementation ▪ High-speed router implementation
 switching 120Gbps on off-the-shelf PC ▪ So far ~65 person-years of effort invested ▪ Growing testbed ▪ ISP Deployment:
 SWITCH, Swisscom, 
 KDDI

35

slide-36
SLIDE 36

Demo: High-Speed Router

▪ Standard PC with dual Intel Xeon E5-2680 processors (~$500)

  • 8 cores per processor

▪ Intel 82599EB X520-DA2 NIC (2x 10Gbps) (~$600) ▪ Spirent SPTN4U-220 traffic generator

36

slide-37
SLIDE 37

Multipath Communication

▪ SCION provides end-to-end paths to clients ▪ Using multiple paths can provide many benefits:

  • Reliability — avoid a single point of failure
  • Bandwidth — use more total bandwidth


(subject to fairness constraints)

  • Cost — use cheaper links
  • Latency — use paths with lower propagation delays

▪ Different strategies are possible based on applications, path characteristics, and topology

37

slide-38
SLIDE 38

Use Cases

▪ Highly efficient and available multi-path communication ▪ VPN link over SCION ▪ Inter-domain bandwidth guarantees via SIBRA and DILLs (Dynamic Inter-domain Leased Lines) ▪ Available and DDoS-resilient communication among banks in Switzerland ▪ Trustworthy network through verifiable router code

38

slide-39
SLIDE 39

Highly Available and DDoS Resilient Communication among Banks

39

  • utside CH

E1 S3 S3 S2 S2 C2 S4 E2 E2 S1 C1 C1 S4 S1 E1 C2

Edge router SCION router Computing Cloud / IaaS Bank A Bank B

slide-40
SLIDE 40

Summary

▪ Network architecture re-design resolves fundamental problems

▪ BGP protocol convergence issues ▪ Separation of control and data planes ▪ Isolation of mutually untrusted control planes ▪ Path control by senders and receivers ▪ Simpler routers (no forwarding tables) ▪ Root of trust selectable by Isolation Domain

▪ SCION enables new applications and services

▪ Guaranteed bandwidth, DDoS resilience ▪ No Internet “Kill Switch” ▪ Communication transparency ▪ Verified router software

▪ ISPs and corporations now engaging in pilot deployment ▪ More information: http://www.scion-architecture.net

40