LightningFilter: Traffic Filtering at 100 Gbps Presented by: - - PowerPoint PPT Presentation

▶

Dec 28, 2022 321 likes •526 views

LightningFilter: Traffic Filtering at 100 Gbps Presented by: Benjamin Rothenberger In collaboration with: Prof. Adrian Perrig, Juan Garca Pardo, Dominik Roos, Jonas Gude, Pascal Sprenger, Florian Jacky Project Goals High-speed packet

SLIDE 1

LightningFilter: Traffic Filtering at 100 Gbps

Presented by: Benjamin Rothenberger

In collaboration with:

Prof. Adrian Perrig, Juan Garcìa Pardo, Dominik Roos,

Jonas Gude, Pascal Sprenger, Florian Jacky

SLIDE 2

Project Goals

High-speed packet processing requires nanosecond
perations
Example: 64-byte packets @ 100Gbps: ~5ns processing time
Nanosecond scale key establishment
Nanosecond scale packet authentication
Trivia: how “long” is a nanosecond?
Answer: light travels about 30cm in 1ns

SLIDE 3

AS C

Use Case: Network Error Message Authentication

Internet AS A

AS B

Client Server

BR BR

X !

Solution: DRKey! Problem: only short time frame à Only possible using symmetric cryptography !

SLIDE 4

DRKey

Novel protocol based on symmetric cryptography
Intel AES-NI instructions enable key derivation within ~50 cycles

à Nanosecond scale!

Key computation is up to 3 times faster than DRAM lookup!

à Computing the key is faster than storing it in memory! à Foundation for many DDOS defense mechanisms

SLIDE 5

DRKey Performance

Factor: ~ 1450x

SLIDE 6

Lightning Filter

Traffic Filtering at 100 Gbps

SLIDE 7

Overview

Standard Firewall Lightning Filter

Authenticated traffic SCION traffic normal traffic Invalid traffic Firewall traffic

Internet

Border Router

$$$

SLIDE 8

System Design

............ ............ CONFIG FILE ............ ............

Metrics CLI DRKey Mgmt

Lightning Filter Data Plane Control Plane

Traffic Class. Source Auth. Rate Limiting Duplicate Supp.

Administrator Certificate Server Prometheus System Metric Exporter

SLIDE 9

Demo Outline

1. Attack scenario
Attacker located anywhere in Internet à Source authentication
2. Bandwidth capacity
120 Gbps traffic volumne
3. Filtering based on source authentication
Alternate between filtering and bypass every 30s
4. Duplicate suppression
80 Gbps duplicates traffic, 40 Gbps legitimate traffic

SLIDE 10

Attack Scenario: Internet Attacker

Internet

AS A

100 Mbps 120 Gbps 100 Mbps

SLIDE 11

Attack Scenario: Internet Attacker

Internet

AS A

100 Mbps

X

120 Gbps 100 Mbps

SLIDE 12

Questions?

SLIDE 13

Backup Slides

SLIDE 14

Communication between clients and server is authenticated

using DRKey

Key derivation for L2 keys is delegated to server

DRKey Scenario

AS Server AS AS Clients

Internet

SLIDE 15

DRKey Exchange Demo

1. Client requests the L2 key to communicate to the server from its

local CS

2. L1 key has not been prefetched à L1 key exchange
3. Server fetches the derivation secret for its delegation from CS
4. Server then derives the same L2 key locally
5. Do 100 runs and calculate average execution time

SLIDE 16

DRKey Hierarchy

Key establishment using a multi-level key hierarchy
L0: per-AS local secret key & per-AS public/private key pair
L1: AS-level key establishment (typically prefetched!)
L2: locally derive symmetric keys for end hosts

SLIDE 17

DRKey Key Exchange

AS B Internet AS A

BR BR CS CS

C S

Clients Server

L1 key exchange Fetch DS C C1 Fetch L2 key Locally derive L2 Key

SLIDE 18

Key Rollover

Key 𝐸𝑇#$% Fetching Key 𝐸𝑇#$& Active Key 𝐸𝑇# Key Rollover Grace Period Grace Period Fetching Key 𝐸𝑇#$' 0x0: 0x1: 0x2: Fetching Key 𝐸𝑇#$( t t + 1 t + 2 Key 𝐸𝑇#$% Key 𝐸𝑇#$' Active Key 𝐸𝑇#$' Active Key 𝐸𝑇#$%

SLIDE 19

Rate Limiting

allocation for next silce Used tokens in last slice Refill rate I) aggregate c1 c0 c3 c2 c1 c0 c3 c2 c1 c0 c3 c2 II) recompute III) distribute

Data Plane

a) Packet processing