Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka - - PowerPoint PPT Presentation

host identity indirection
SMART_READER_LITE
LIVE PREVIEW

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka - - PowerPoint PPT Presentation

Jul 24, 2023 235 likes •465 views

Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Brje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question: How to get

slide-1
SLIDE 1

Host Identity Indirection Infrastructure – Hi3

Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research

slide-2
SLIDE 2

2

Presentation outline

  • Motivation
  • Background
  • Secure i3
  • Hi3
  • Summary
slide-3
SLIDE 3

3

Hi3 motivation

  • Question: How to get data based on HIT only?
  • HITs look like 128-bit random numbers
  • Possible answer: DHT based overlay like i3
  • Extra bonus: DDoS protection
  • Inherited from Secure i3 and enhanced
slide-4
SLIDE 4

4

Background

  • Current HIP name resolution
  • Basic HIP rendezvous service
  • About Distributed Denial-of-Service attacks
  • Two slide introduction to

Distributed Hash Tables

slide-5
SLIDE 5

5

  • HITs or HIs in the DNS
  • DNS query asks for

addresses and HITs

  • Requires one to have a

DNS name

  • HITs not resolvable due to

name space being flat

Current HIP name resolution

DNS server Client app

DNS query: A, AAAA, HIT DNS reply: A, AAAA, HIT

slide-6
SLIDE 6

6

Basic HIP rendezvous service

  • Keep track of Responder’s

IP address(es)

  • Forward I1 to Responder
  • Optionally forward R1 back

to the Initiator and then I2 to the Responder

  • Keeps Responder’s IP

address(es) hidden until it has a chance to verify the puzzle

RVS Initiator

I1

Responder

I1 R1 R1 R1

slide-7
SLIDE 7

7

Distributed Hash Tables (DHT)

  • Distributed directory for flat data
  • Several different ways to implement
  • Each server maintains a partial map
  • Overlay addresses to direct to the right server
  • Resilient through parallel, unrelated mappings
slide-8
SLIDE 8

8

DHTs: Example

Prefix Default node Real node 00110 00110 = 6 none exists 0010_ 00101 = 5 none exists 000__ 00011 = 3 → 1 01___ 01111 = 15 →10 1____ 10111 = 23 →24 00001 00111 10010 11000 11101 01010

01___ 1____

11111

RT size = log2(|address|) path length = log2(|address|)

11010 10101 01011 01100

000__

slide-9
SLIDE 9

9

About DDoS Attacks

  • Attacks a victim from dozens to thousands of

network locations at the same time

  • Employs zombies, typically hacked PCs
  • Observation:
  • Keeping IP address hidden protects from

DDoS

  • Question:
  • How to keep a server’s IP address hidden?
slide-10
SLIDE 10

10

Secure i3

  • i3 overview
  • Secure i3 principles
  • Diluting a DoS/DDoS attack in i3
slide-11
SLIDE 11

11

i3 overview

  • Efficient indirection layer on top of IP
  • Overlay network consisting of

rendezvous servers

  • Rendezvous based communication abstraction
  • Each packet has a recipient identifier
  • Rendezvous servers maintain triggers
  • Trigger is an (id, destination) pair
  • Destination is typically an IP address
slide-12
SLIDE 12

12

Rendezvous Communication

  • Packets addressed to identifiers (“names”)
  • Trigger: (Identifier, IP address): inserted by

receiver and then used by sender

  • Triggers are mappings set up by end-hosts, and

stored in DHTs (can point to other triggers too)

Sender Receiver (R) ID R trigger

send(ID, data) send(R, data)

(Slide courtesy to Ian Stoica, UC Berkeley)

slide-13
SLIDE 13

13

Secure i3 principles

  • Hide IP addresses
  • Must use overlay
  • End-hosts have ability to defend against attacks

(in the network)

  • Don’t create additional vulnerabilities
slide-14
SLIDE 14

Diluting a DoS attack in i3

Attacker floods victim via i3 public triggers

x4 V x3 V x2 V x1 V

Attacker (A)

Victim dilutes attack by dropping two of its four public triggers

x4 V x3 V

Victim (V)

(Slide courtesy to Dan Adkins, UC Berkeley)

slide-15
SLIDE 15

15

Hi3

  • Basic approach: Combine HIP and (Secure) i3
  • Use i3 as a transport for HIP packets
  • Use regular IP(sec) for regular data traffic
  • Hides IP addresses until the Responder has

been able to verify the puzzle

  • HIP mobility and multi-homing can be used to

redirect and redistribute regular traffic

slide-16
SLIDE 16

16

Hi3 overlay and IPsec connectivity

i3 overlay based

control plane IPsec based user plane

slide-17
SLIDE 17

17

Hi3 overlay and IPsec connectivity

  • i3 overlay for signalling (control plane)
  • Routes only HIP control packets
  • E2E IPsec ESP for data traffic (user plane)
  • Firewalls/middle boxes opened dynamically
  • Only end-to-end signalling (HIP)
  • Middle boxes “snoop” e2e messages
slide-18
SLIDE 18

18

HIP vs IP connectivity

IP connectivity HIP connectivity

Between any IP addresses Between any HITs Created by routing Created by DHT Hosts always reachable Hosts reachable after signalling Unsecure (Opportunistically) Secure Broken by NATs and FWs Goes through NATs and FWs

slide-19
SLIDE 19

19

Upper layer view

  • IP connectivity problematic today
  • Broken by firewalls, NATs, mobility
  • Two versions of IP: IPv4 and IPv6
  • Hi3 as a potential remedy
  • Restores end-to-end connectivity
  • Handles mobility and multi-homing
  • Protects from DDoS attacks
slide-20
SLIDE 20

20

Where is network state?

  • Routers know addresses
  • Just like today
  • DHT knows HITs
  • Lease based storage
  • Middle boxes know SPIs
  • Soft state

Naming Addressing Routing

slide-21
SLIDE 21

21

Summary

  • Combine HIP and i3
  • HIP packets flow through i3 overlay
  • Regular traffic over today’s IP
  • IP addresses hidden in the beginning
  • Solves the HIT referral problems
  • Protects from DDoS attacks