Overview Distributed Services for Distributed VPNs Objectives for - - PDF document

Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Michael Rossberg, Rene Golembewski, Guenter Schaefer Ilmenau University of Technology, Germany ICCCN 2012

Overview

• Distributed Services for Distributed VPNs
• Objectives for Robust Time

Synchronization

• Approach

– Offset Estimation – Synchronization

• Evaluation
• Conclusion & Outlook

2

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Distributed Services for Distributed VPNs

• Large VPNs, >100

end-points

• For scalable, robust
• peration distributed

configuration

• But what about the

centralized management?

3

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Public Network Private Network Private Network Private Network Private Network Private Network

Distributed Services for Distributed VPNs

• Secure time

information available

• nly in some places
• Must be distributed in

the VPN

• NTP etc. would

create exposed points

4

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Public Network Private Network Private Network Private Network

Objectives

• Operation in global environment (use no

broadcast etc.)

• Synchronize internally & externally
• Integrity (against internal attackers)
• Robustness (jitter, asymmetric paths,

perhaps DoS attacks)

• Scalability

5

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Approach – Overview

• All nodes periodically

– Exchange time information – Filter invalid data – Adapt towards measured differences

• Note: Also done in some WSN

approaches, but do so more robust (as this works in this scenario)

6

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Approach – Offset Estimation

• Measure RTT and time
• ver encrypted tunnel
• Problem: T1 and T2

may be different due to:

– Jitter – Queuing Delays – Asymmetric Paths

→ Multiple measure-

ments to filter out all invalid data we can

7

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

{NA} {NA,Timestamp}

A

T1 T2

B

Approach – Siegel-Estimators

0.00 0.02 0.04 0.06 0.08 0.10 0.12 1000 2000 3000 4000 5000

Time [s] Measured RTT [s]

8

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks
• Estimate RTTs and

time offsets by linear functions

• Robust estimation by

using repeated median

• Resistant against up to

50% outliers

• Slopes indicate

“confidence”

Approach – Reducing the History

• Longer history → More resistant against

short term changes

• But

– Slower adaptation – More computations required

• History thinned out over time using Zipf

distribution

• Newer values are more emphasized
• Old values still have an influence

9

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Synchronization Step

10

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks
• Offset estimates of different partners are

aggregated

• Weighted median assures bad estimates

and outliers have no influence

• Dampening assures over compensation

Evaluation – Global operation

• Uses unicast only → might work globally
• But: What about

asymmetric paths?

• Experiment:

– 32 runs – Internet Delays – ɣ-distributed Jitter

→ No significant

influence!

11

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

0.000 0.002 0.004 0.006 0.008 0.010 0.012 0.014 0.016 0.0 0.2 0.4 0.6

Ratio of Asymmetric Links ! of Node Offsets [s]

Evaluation – Synchronization

• Adaptation guaranteed, if and if graph of

synchronization partners is

– Strongly connected – No sub-graphs exist where all nodes are more connected to the sub-graph than to the outside

• Fortunately: This is the case for

expander graphs and thus most peer-to- peer systems (Short proof in the paper)

12

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Evaluation – Integrity

13

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks
• Which influence have

10% of attackers (in a VPN with 100 nodes)?

• Attackers try to

circumvent filter by gradually increasing reported offsets

• Measured ! after 500

synchronization steps

→ Some nodes are

pulled away, but as

• ffset increases filter

works

1 2 3 4 5 6 7 8 9 5 10 15 20 25

Attacker Drift [ms/s] ! of Node Offsets [s]

Evaluation – Scalability (I)

0.000 0.002 0.004 0.006 0.008 0.010 0.012 0.014 0.016 25 50 100 200 400

VPN Size ! of Node Offsets [s]

14

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks
• How does VPN

size affect synchronization precision?

• Measured ! in

steady state for growing VPN size

→ No significant

impact!

Evaluation – Scalability (II)

50 100 150 200 250 300 350 400 25 50 100 200 400

VPN Size Required Time Synchronization Steps

15

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks
• How does VPN

size affect time to stabilization?

• Measured steps

until error < 0.1s for growing VPN size

→ Sub-linear

impact despite logarithmic scale!

Conclusion & Outlook

• Scalable & robust approach to

synchronize clocks in distributed systems

• Can be applied always if network graph

has expansion properties

• Optimizations still possible, e.g.:

– Weighting of confidence factors – Blacklisting to avoid adaptive attackers

16

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks

Thank you for your attention!

Michael Rossberg michael.rossberg@tu-ilmenau.de Ilmenau University of Technology Germany

17

• M. Rossberg - Attack-Resistant Distributed Time Synchronization for Virtual Private Networks