Analysis of Control, Data separation in ForCES protocol for - - PowerPoint PPT Presentation

analysis of control data separation in forces protocol
SMART_READER_LITE
LIVE PREVIEW

Analysis of Control, Data separation in ForCES protocol for - - PowerPoint PPT Presentation

Sep 16, 2022 543 likes •631 views

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60 th IETF Meeting, San Diego 1 Problem Statement Requirements RFC 3654 Protection against

slide-1
SLIDE 1

1

Analysis of Control, Data separation in ForCES protocol for protection against DoS attacks

Hormuzd Khosravi Shashidhar Lakkavalli Lily Yang 60th IETF Meeting, San Diego

slide-2
SLIDE 2

2

Problem Statement

Requirements RFC 3654 – “Protection against Denial of

Service Attacks (based on CPU overload or queue overflow) - Systems utilizing the ForCES protocol can be attacked using denial of service attacks based on CPU overload or queue

  • verflow. The ForCES protocol could be exploited by such attacks

to cause the CE to become unable to control the FE or appropriately communicate with other routers and systems. The ForCES protocol MUST therefore provide mechanisms for controlling FE capabilities that can be used to protect against such

  • attacks. FE capabilities that MUST be manipulated via ForCES

include the ability to install classifiers and filters to detect and drop attack packets, as well as to be able to install rate limiters that limit the rate of packets which appear to be valid but may be part of an attack (e.g., bogus BGP packets).”

slide-3
SLIDE 3

3

Possible Solutions

Basic Idea – Separation of data and control messages

– Data messages are control protocol packets such as RIP, OSPF, BGP packets. All other messages considered control messages

Solution 1 – Different Transport connections

– Use different congestion aware transport protocol connections for data and control messages

Solution 2 – Different Prioritization

– Assign higher priority to control messages and use scheduling mechanisms in protocol to differentiate

slide-4
SLIDE 4

4

Experimental Setup

Used IXIA box as packet generator and Linux PCs as CE, FE connected using 100 Mbps Ethernet links Basic implementation consisting of multi-threaded client/server on Linux using pthreads (RR scheduling for threads) Increased data connection rate to simulate DoS Attack

slide-5
SLIDE 5

5

Experimental Results

Using TCP for control and UDP for data messages (with and without prioritization for control) Results show UDP (data) overwhelms TCP (control) traffic during DoS attack, prioritization of No help

  • 0.2

0.4 0.6 0.8 1 1.2 50 100 150 Redirection Data Rate (Mbps) Received /S en t Data (lo ss) Control Data Data w/o Control

0.2 0.4 0.6 0.8 1 1.2 50 100 150 Redirection Data Rate (Mbps) R e c e i v e d / S e n t D a ta (lo s s ) Control Data

With Prioritization

slide-6
SLIDE 6

6

Experimental Results (contd..)

Using TCP for control and TCP for data messages (with and without prioritization for control Results show control traffic is not overwhelmed by data traffic during DoS attack, prioritization helps improve the performance (by 5%)

  • 0.2

0.4 0.6 0.8 1 1.2 50 100 150 Redirection Data Rate (Mbps) Received/S ent Data (loss) Control Data

0.2 0.4 0.6 0.8 1 1.2 50 100 150 Redirection Data Rate (Mbps) Received/Sent Data (loss) Control Data

With Prioritization

slide-7
SLIDE 7

7

Summary

Protection against DoS attacks is a key requirement for the ForCES protocol Separation of Control and Data messages in the ForCES protocol is key to meet this requirement Separation scheme consisting of

– separate congestion aware, control and data transport connections such as TCP connections – combined with higher priority for control gives best results

References – http://www.sstanamera.com/~forces/,

http://www.sstanamera.com/~forces/Ietf59/testbed_dong.pdf