Complexity Attack Resistant Flow Lookup Schemes for IPv6: A Measurement Based Comparison David Malone and Josh Tobin. 2008-12-11 1
Hash Table Lookup scheme to avoid cost of searching full list. carrot zuchinni . . . . . . apricot apple becomes: a apricot, apple b banana . . . . z zuchinni Hash function h ( x ), XOR typical. Cost: O ( N ) → O ( N/H ). 2
Algorithmic Attacks Worst case rather than typical behaviour. (Crosby and Wallach, 2003). Suppose attacker controls keys. a abduce, abducens, abducent, abduct, abduction, abductor . . . b . z Attacker finds x i so that f ( x 1 ) = f ( x 2 ) = . . . = f ( x i ). 3
Flow Lookup • Security applications often track IP flows. • Lookup single flow by tuple (src IP, dst IP, src port, dst port). • Hash table is one possible optimisation. • For IPv4 96 bits of input. • For IPv6 288 bits of input. • Aim — ipfw for FreeBSD. • Note inexact flow matching different! 4
Demonstration attack 60 Random Attack Complexity Attack 50 40 Packets Forwarded (pps) 30 20 10 0 0 5 10 15 20 Time (s) 5
Xor h ← 0 foreach ( byte [ i ]) h ← h ⊕ byte [ i ] return h DJB2 h ← 5381 foreach ( byte [ i ]) h ← 33 ∗ h + byte [ i ] return h XorSum h ← 0 foreach ( byte [ i ]) h ← h + ( byte [ i ] ⊕ K [ i ]) return h SumXor h ← 0 foreach ( byte [ i ]) h ← h ⊕ ( byte [ i ] + K [ i ]) return h; 6
Universal h ← 0 foreach ( byte [ i ]) h ← h + K [ i ] ∗ byte [ i ] return h mod 65537 Pearson h 1 ← h 2 ← 0 foreach ( byte [ i ]) h 1 ← T 1 [ byte [ i ] ⊕ h 1 ] h 2 ← T 2 [ byte [ i ] ⊕ h 2 ] return h 1 + h 2 ∗ 256 MD5 return two bytes of MD5(bytes) SHA return two bytes of SHA(bytes) 7
Hash Chain Length 100000 sequential hamming xor zero xor one sum zero random 10000 Mean Lookup Chain Length 1000 100 10 Universal Xor XorSum SumXor DJB2 Pearson MD5 SHA Hash 8
CPU Cost 0.09 sequential hamming xor zero 0.08 xor one sum zero random dont 0.07 0.06 0.05 CPU used 0.04 0.03 0.02 0.01 0 Universal Xor XorSum SumXor DJB2 Pearson MD5 SHA Hash 9
Other options Don’t need to use hash. Tree Use lexical order to insert into tree. Red/Black Tree Tree balanced by colouring. Splay Tree Moves frequently accessed to top. Treap Tree balanced using random heap. Tree is baseline (and subject to attack). Others are not (obviously) subject to attack. 10
Design Aims/Method Want flow lookup to: • Should perform OK under typical traffic. • Should not degrade badly under attack. • . . . typical performance depends on keys. • . . . collect trace of traffic, • . . . assess using pcap framework, • . . . check performance in kernel. 11
Traffic Trace 100000 Testlog 2 sample Testlog 2 10000 1000 Flow size (packets) 100 10 1 1 10 100 1000 10000 100000 Flow size rank 12
Big CPU 2.5 Pearson (Byte) Hash Table Xor (Byte) Hash table Treap Unbalanced Tree Red/Black Tree Splay Tree 2 SHA Hash Table MD5 Hash Table Pearson (Word) Hash Table Univesal Hash Table Average CPU per packet (us) Xor (Word) Hash Table 1.5 1 0.5 0 500000 1e+06 1.5e+06 2e+06 2.5e+06 3e+06 3.5e+06 4e+06 4.5e+06 5e+06 Packets processed 13
Small CPU 60 50 Average CPU per packet (us) 40 30 Pearson (Byte) Hash Table 20 Xor (Byte) Hash table Treap Unbalanced Tree Red/Black Tree Splay Tree 10 SHA Hash Table MD5 Hash Table Pearson (Word) Hash Table Univesal Hash Table Xor (Word) Hash Table 0 50000 100000 150000 200000 250000 300000 350000 400000 450000 Packets processed 14
Peak Forwarding 1800 No ipfw ipfw with Xor ipfw with Universal 1600 ipfw with Pearson 1400 1200 Packets Out 1000 800 600 400 200 0 0 1000 2000 3000 4000 5000 6000 Packets In 15
Summary • Looked at flow lookup schemes. • Wanted attach resistant scheme, • . . . with good typical performance. • Future: get code into FreeBSD. • Future: look at attacks on hashes. • Future: new hashing schemes. 16
Recommend
More recommend
